PDO准备好的语句是否足以防止SQL注入? - Are PDO prepared statements sufficient to prevent SQL injection?
2020-07-15 06:30
956 查看
钉钉、微博极速扩容黑科技,点击观看阿里云弹性计算年度发布会!>>>
问题:
Let's say I have code like this: 假设我有这样的代码:
$dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['username']) );
The PDO documentation says: PDO文档说:
The parameters to prepared statements don't need to be quoted; 准备好的语句的参数不需要用引号引起来。 the driver handles it for you. 司机为您处理。
Is that truly all I need to do to avoid SQL injections? 那真的是我避免SQL注入所需要做的一切吗? Is it really that easy? 真的那么容易吗?
You can assume MySQL if it makes a difference. 您可以假设MySQL会有所作为。 Also, I'm really only curious about the use of prepared statements against SQL injection. 另外,我真的只是对针对SQL注入使用准备好的语句感到好奇。 In this context, I don't care about XSS or other possible vulnerabilities. 在这种情况下,我不在乎XSS或其他可能的漏洞。
解决方案:
参考一: https://stackoom.com/question/Yst/PDO准备好的语句是否足以防止SQL注入参考二: https://oldbug.net/q/Yst/Are-PDO-prepared-statements-sufficient-to-prevent-SQL-injection
相关文章推荐
- 数据库端防止并发的SQL语句 插入时就判断是否存在
- 利用sql预处理语句 防止sql注入
- 防止程序SQL语句错误以及SQL注入
- SQL Injection Attacks and Some Tips on How to Prevent Them
- pdo通过预处理语句防止sql注入
- SQL或HQL预编译语句,可以防止SQL注入,可是不能处理%和_特殊字符
- Free, simple code to find out what SQL statements are running slow in SQL Server right now
- SQL注入专题--整理帖 && like 语句拼sql 如何防止注入攻击。
- How to Prevent SQL Injection Attack (Explained with an Example)
- SQL或HQL预编译语句,能够防止SQL注入,但是不能处理%和_特殊字符
- 优化SQL语句的9大诀窍(Tips to optimize your SQL statements)
- 怎样写防止Sql注入的Sql语句
- Why Prepared Statements are important and how to use them "properly"
- What’s the Right Way to Prevent SQL Injection in PHP Scripts?
- 参数化SQL语句,防止SQL注入漏洞攻击 分类: ASP.NET 2012-03-09 09:57 2360人阅读 评论(0) 收藏
- 参数化SQL语句,防止SQL注入漏洞攻击
- 非常见SQL注入漏洞及利用 Unusual SQL injection vulnerabilities and how to exploit them
- 参数化SQL语句,防止SQL注入漏洞攻击
- asp利用Parameters对象,实现防止sql注入,执行sql语句并返回变量值
- LINQ体验(7)——LINQ to SQL语句之Group By/Having和Exists/In/Any/All/Contains