为什么 PHP PDO 不保护我的查询免遭注入?

发布于 2024-12-17 14:42:07 字数 1061 浏览 0 评论 0原文

我仍在全面学习 PDO 的过程中,但是当我今天晚上检查它是否可以用于 SQL 注入 URL 参数时,我感到有点惊讶,令我惊讶的是,它确实有效。于是我开始思考;发布的值应该使用 PDO 准备好的语句自动清理,这意味着我的 SQL 查询一定有问题,对吗?

我有一个页面需要 GET 变量,以便使用该 ID 从数据库中收集相应的数据。我创建了一个函数,其中包括准备查询以及执行查询以简化编码过程。我现在编写的代码如下所示:

 $request = $_GET['movie'];
 $sql = "SELECT * FROM `movies` WHERE `url` = '$request'";
 $db = new database;
 $db->setDBC();

 $process = $db->executeQuery($sql);
 $cmd = $process->fetch(PDO::FETCH_NUM);

 $title = $cmd[1];

我得到的 PDO 异常是:

致命错误:未捕获异常“PDOException”,消息为“SQLSTATE[42000]:语法错误或访问冲突:1064 您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,了解在 C:\xampp\htdocs\filmvote\include\databaseClass.php:33 中第 1 行“21-31282 ''' 附近使用的正确语法”堆栈跟踪:# 0 C:\xampp\htdocs\filmvote\include\databaseClass.php(33): PDOStatement->execute() #1 C:\xampp\htdocs\filmvote\recension.php(9):databaseManagement->executeQuery('SELECT * FROM `...') #2 {main} 抛出在 C:\xampp\htdocs\filmvote\include\ 中databaseClass.php 第 33 行

在 URL 中添加 ' 或 1-1 时会出现此类错误。对此我能做什么?真的很感谢您的帮助。

I'm still in the progress of learning PDO fully, but I was kind of surprised when I checked this evening if it worked to SQL Inject the URL parameter, and to my surprise, it did work. So I started thinking; the posted values are supposed to be sanitized automatically using PDO - prepared statements, which means there must be something wrong with my SQL query, am I right?

I'm having a page that needs a GET variable in order to gather corresponding data from my database with that ID. I have created a function that includes preparing the query, and as well as executing it to simplify the coding process. The code I have written now looks like:

 $request = $_GET['movie'];
 $sql = "SELECT * FROM `movies` WHERE `url` = '$request'";
 $db = new database;
 $db->setDBC();

 $process = $db->executeQuery($sql);
 $cmd = $process->fetch(PDO::FETCH_NUM);

 $title = $cmd[1];

And the PDO Exception I get is:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''21-31282 ''' at line 1' in C:\xampp\htdocs\filmvote\include\databaseClass.php:33 Stack trace: #0 C:\xampp\htdocs\filmvote\include\databaseClass.php(33): PDOStatement->execute() #1 C:\xampp\htdocs\filmvote\recension.php(9): databaseManagement->executeQuery('SELECT * FROM `...') #2 {main} thrown in C:\xampp\htdocs\filmvote\include\databaseClass.php on line 33

You get this kind of error when adding ' or 1-1 to the URL. What can I do about this? Really grateful for help.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

无语# 2024-12-24 14:42:07

发布的值应该使用 PDO 自动清理

不。只有当您像这样使用实际的准备好的语句时:

$stmt = $dbh->prepare("SELECT * FROM `movies` WHERE `url` = ?");
if ($stmt->execute(array($_GET['movie'])))  // <-- This sanitizes the value
  { 
    // do stuff
  }

您插入的值才会被自动清理,并且您的查询将受到 SQL 注入的保护。

否则,您的 SQL 查询将像任何旧的 mysql_query() 一样执行,并且容易受到攻击。 PDO 无法接受查询然后自动清理易受攻击的部分。那是不可能的。

the posted values are supposed to be sanitized automatically using PDO

Nope. Only if you use actual prepared statements like so:

$stmt = $dbh->prepare("SELECT * FROM `movies` WHERE `url` = ?");
if ($stmt->execute(array($_GET['movie'])))  // <-- This sanitizes the value
  { 
    // do stuff
  }

will your the values you insert be automatically sanitized, and your query protected from SQL injection.

Otherwise, your SQL query will be executed like any old mysql_query(), and is vulnerable. PDO can not take a query and then automatically sanitize the vulnerable parts. That's not possible.

半衾梦 2024-12-24 14:42:07

尝试准备好的语句:

$query = $db->prepare("SELECT * FROM `movies` WHERE url = ?");
$query->execute(array($request));
$result = $query->fetch(PDO::FETCH_ASSOC);

Try prepared statements:

$query = $db->prepare("SELECT * FROM `movies` WHERE url = ?");
$query->execute(array($request));
$result = $query->fetch(PDO::FETCH_ASSOC);
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文