当前位置: 文江博客话题详情

我可以将参数作为比较运算符绑定到 PDO 语句吗?

发布于 2024-12-20 03:36:02 字数 1089 浏览 2 评论 0原文

这种代码

class opinion
{
   private $dbh;
   var $opinionid,$opinion,$note,$actorid,$dateposted;
   var $isnew=FALSE;
   function loadby($column,$value,$operator="="){
       $dbh = new PDO(I deleted parameters here);
       $statement=$dbh->prepare("select * from fe_opinion where :column :operator :value");
       $statement->bindParam(":column", $column);
       $statement->bindParam(":value", $value);
       $statement->bindParam(":operator", $operator); //UNSURE, DOUBTFUL
       $statement->bindColumn("opinionid", $this->opinionid);
       $statement->bindColumn("opinion", $this->opinion);
       $statement->bindColumn("note", $this->note);
       $statement->bindColumn("actorid", $this->actorid);
       $statement->bindColumn("dateposted", $this->dateposted);
       $statement->fetch();
       return $statement->rowCount(); //please be 1
   }
}

注入安全吗?

       $statement->bindParam(":operator", $operator); //UNSURE, DOUBTFUL

我可以将参数作为比较运算符绑定到 PDO 语句吗?

原文

Is this code

class opinion
{
   private $dbh;
   var $opinionid,$opinion,$note,$actorid,$dateposted;
   var $isnew=FALSE;
   function loadby($column,$value,$operator="="){
       $dbh = new PDO(I deleted parameters here);
       $statement=$dbh->prepare("select * from fe_opinion where :column :operator :value");
       $statement->bindParam(":column", $column);
       $statement->bindParam(":value", $value);
       $statement->bindParam(":operator", $operator); //UNSURE, DOUBTFUL
       $statement->bindColumn("opinionid", $this->opinionid);
       $statement->bindColumn("opinion", $this->opinion);
       $statement->bindColumn("note", $this->note);
       $statement->bindColumn("actorid", $this->actorid);
       $statement->bindColumn("dateposted", $this->dateposted);
       $statement->fetch();
       return $statement->rowCount(); //please be 1
   }
}

injection safe?

       $statement->bindParam(":operator", $operator); //UNSURE, DOUBTFUL

Can I bind a parameter to a PDO statement as a comparison operator?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

入画浅相思 2024-12-27 03:36:02

不,你不能像那样绑定运算符。作为一种解决方法,您可以动态创建“基本”SQL 查询并使用运算符白名单(这是非常合适的)来保持注入安全:

function loadby($column,$value,$operator="="){ 
   $dbh = new PDO(...); 
   $operator = getOperator($operator);
   if(!$operator) {
       // error handling
   }
   $statement=$dbh->prepare("select * from fe_opinion where :column $operator :value");
   // the rest like you already do it
} 

function getOperator($operator) {
   $allowed_ops = array('=', '<', '>'); // etc
   return in_array($operator, $allowed_ops) ? $operator : false;
}

除此之外,其余的都很好,并且“根据定义”是防注入的。

No, you cannot bind operators like that. As a workaround, you can dynamically create the "base" SQL query and use an operator whitelist (which is quite appropriate) to remain safe from injection:

function loadby($column,$value,$operator="="){ 
   $dbh = new PDO(...); 
   $operator = getOperator($operator);
   if(!$operator) {
       // error handling
   }
   $statement=$dbh->prepare("select * from fe_opinion where :column $operator :value");
   // the rest like you already do it
} 

function getOperator($operator) {
   $allowed_ops = array('=', '<', '>'); // etc
   return in_array($operator, $allowed_ops) ? $operator : false;
}

Apart from this, the rest is fine and injection-proof "by definition".

回复 原文
一萌ing 2024-12-27 03:36:02

根据 DBMS 和 PHP 驱动程序,准备好的语句可以是“真实的”或模拟的。

在第一种情况下,绑定参数由 DBMS 直接处理。在这种情况下,将运算符作为参数处理可能会触发语法错误。 SQL 解析器将分析查询,甚至不查看参数,也不会找到有效的 SQL 代码来处理。

在第二种情况下,绑定参数由驱动程序模拟:输入值被插入到 SQL 代码中(具有足够的转义),并且 DBMS 接收完整的常规查询。我不太确定当前的驱动程序将如何表现(我需要测试它),但即使他们不抱怨无效的 SQL,他们迟早会碰壁:SQL 运算符不是字符串。

现在,有一天实现这个功能会是一个很好的功能吗?我怀疑这一点:

  • 运行重复查询时,您不会从预解析的 SQL 中受益:如果更改运算符,就会更改查询。
  • 您不会获得安全 SQL 代码。你怎么可以?

Depending on the DBMS and PHP driver, prepared statements can be "real" or emulated.

In the first case, bind parameters are handled directly by the DBMS. In such case, handling an operator as parameter will probably trigger a syntax error. The SQL parser will analyse the query without even looking at parameters and will not find valid SQL code to work on.

In the second case, bind parameters are emulated by the driver: input values get inserted into SQL code (with adequate escaping) and the DBMS receives a complete regular query. I'm not really sure about how current drivers will behave (I'd need to test it) but even if they don't complain about invalid SQL, they'll hit a wall sooner or later: SQL operators are not strings.

Now, would it be a nice feature to get implemented some day? I doubt it is:

  • You won't benefit from pre-parsed SQL when running repetitive queries: if you change operators, you change the query.
  • You won't get safe SQL code. How could you?
回复 原文
冧九 2024-12-27 03:36:02

正如评论中提到的,我认为不可能逃脱操作员并让它按您的预期工作。生成的查询可能类似于:

'column' '=' 'value';

您不需要转义运算符来避免注入攻击,您可以在将运算符附加到字符串之前验证运算符,请考虑:

class opinion
{
    $validOperators = array('=', '>=', '>', '=<', '<');

    function loadby($column,$value,$operator="=") {

        // Validate operator
        if (!in_array($operator, self::$validOperators)) {
            throw new Exception('Invalid $operator ' . $operator . ')';
        }

        $statement=$dbh->prepare("select * from fe_opinion where :column " . $operator . " :value");
    }
}

As mentioned in comment I don't think it's possible to escape the operator and have it work as you expect. The resulting query would probably look something like:

'column' '=' 'value';

You don't need to escape the operator to avoid injection attacks, you can validate your operator before appending it to the string, consider:

class opinion
{
    $validOperators = array('=', '>=', '>', '=<', '<');

    function loadby($column,$value,$operator="=") {

        // Validate operator
        if (!in_array($operator, self::$validOperators)) {
            throw new Exception('Invalid $operator ' . $operator . ')';
        }

        $statement=$dbh->prepare("select * from fe_opinion where :column " . $operator . " :value");
    }
}
回复 原文
£噩梦荏苒 2024-12-27 03:36:02

你实际上可以做到。 sql 变得更加复杂。根据组合的数量,SQL 可能会变得非常庞大。但是,有时当只有几个选择时,这很好。

select * 
  from someTable

where (case :column
       when 'age' then (case :operator
                               when '>' then age > :value
                               when '<' then age < :value
                        end)
       when 'price' then (case :operator
                               when '>' then price > :value
                               when '<' then price < :value
                        end)
      end)

  and someOtherCol = 'foo'

:value 也可以是另一列,但是您需要再次嵌套另一个 case 构造,就像第一列一样,并且组合现在确实在飙升。

不管怎样...只是想证明这是可以做到的。

You can actually do it. The sql just gets more complicated. Depending on the number of combinations, the sql can get really huge. But, sometimes when there's only a few choices, its nice.

select * 
  from someTable

where (case :column
       when 'age' then (case :operator
                               when '>' then age > :value
                               when '<' then age < :value
                        end)
       when 'price' then (case :operator
                               when '>' then price > :value
                               when '<' then price < :value
                        end)
      end)

  and someOtherCol = 'foo'

The :value could be another column too, but you'll need to nest yet again another case construct like for the first column, and the combinations are really soaring now.

Anyway... just wanted to show it can be done.

回复 原文
~没有更多了~

关于作者

七度光

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

忆悲凉

文章 0 评论 0

hgfg1645

文章 0 评论 0

qq_qLPLYi

文章 0 评论 0

戏舞

文章 0 评论 0

殊姿

文章 0 评论 0

﹂绝世的画

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文