我被告知要使用PDO从数据库中安全地检索数据。现在我想知道这是安全的还是有效的:
$dbtype = "sqlite";
$dbhost = "localhost";
$dbname = "test";
$dbuser = "root";
$dbpass = "admin";
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$firstName = htmlspecialchars($_POST["firstName"]);
foreach($conn->query('SELECT * FROM employeeTable WHERE firstName = ' . $firstName) as $row) {
echo $row['lastName'].' '.$row['email'];
}
因为在我看来,向查询中"注入"某些内容仍然是可能的。
所以我的问题是:这真的安全吗?如果不安全,我将如何确保它的安全?
我认为你最好用下面的方法来准备,准备的过程是使注射无效
$sql = 'SELECT * FROM employeeTable WHERE firstName = :firstName';
$sth = $conn->prepare($sql);
$sth -> bindParam(':firstName', $firstName);
$sth -> execute();
$result = $sth->fetchAll(PDO::FETCH_OBJ);
foreach ($result as $key => $value) {
echo $value->lastName, $value->email;
}
只需记住不要将post变量直接连接到查询中,只需使用准备好的语句。在执行准备好的语句之后,您需要获取结果:
$select = $conn->prepare('SELECT * FROM employeeTable WHERE firstName = :firstName');
$select->execute(array(':firstName' => $_POST["firstName"));
while($row = $select->fetch(PDO::FETCH_ASSOC))
echo $row['lastName'].' '.$row['email'];
}
这是一个很好的阅读:
http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers