我读了很多关于sql注入的书,我了解它是如何导致问题的(例如:DROP TABLE__etc)。但我不确定我所遵循的教程是如何防止这种情况发生的。我只是在学习PDO,我想我理解它。
此代码不受SQL注入的影响吗为什么?(使用这些准备好的语句需要做更多的工作,所以我想确保我不是在浪费时间-如果代码可以改进,请告诉我!)
$conn = new PDO("mysql:host=$DB_HOST;dbname=$DB_DATABASE",$DB_USER,$DB_PASSWORD);
// Get the data
$firstname = $_POST["v_firstname"];
$lastname = $_POST["v_lastname"];
$origincountry = $_POST["v_origincountry"];
$citizenship = $_POST["v_citizenship"];
$gender = $_POST["v_gender"];
$dob = $_POST["v_dob"];
$language = $_POST["v_language"];
$landing = $_POST["v_landing"];
$email = $_POST["v_email"];
$phone = $_POST["v_phone"];
$cellphone = $_POST["v_cellphone"];
$caddress = $_POST["v_caddress"];
$paddress = $_POST["v_paddress"];
$school = $_POST["v_school"];
$grade = $_POST["v_grade"];
$smoker = $_POST["v_smoker"];
$referred = $_POST["v_referred"];
$notes = $_POST["v_notes"];
//Insert Data
$sql = "INSERT INTO clients (firstname, lastname, origincountry, citizenship, gender, dob, language, landing, email, phone, cellphone, caddress, paddress, school, grade, smoker, referred, notes)
VALUES (:firstname, :lastname, :origincountry, :citizenship, :gender, :dob, :language, :landing, :email, :phone, :cellphone, :caddress, :paddress, :school, :grade, :smoker, :referred, :notes)";
$q = $conn->prepare($sql);
$q->execute(array(':firstname'=>$firstname,
':lastname'=>$lastname,
':origincountry'=>$origincountry,
':citizenship'=>$citizenship,
':gender'=>$gender,
':dob'=>$dob,
':language'=>$language,
':landing'=>$landing,
':email'=>$email,
':phone'=>$phone,
':cellphone'=>$cellphone,
':caddress'=>$caddress,
':paddress'=>$paddress,
':school'=>$school,
':grade'=>$grade,
':smoker'=>$smoker,
':referred'=>$referred,
':notes'=>$notes));
您的代码不受SQL注入的影响,因为您使用的是参数化查询,这基本上意味着一旦构建并发送到SQL server,就会对其进行转义,使用php的内置函数mysql_real_escape_string()也可以实现这一点。
以下视频是关于OWASP sql注入的精彩信息视频:SQL注入
规则是:不要手动构造sql,在其中可以执行以下操作:
sqlStatement = 'select field1, field2, field3 from mytable where index = '' + myVariable + ''
上述情况很危险,因为如果您的应用程序允许用户将数据传递到myVariable,他们可能会向您的数据库服务器发送完整的SQL命令。
如上所述,使用参数化查询就是解决方案。