当前位置: 动力学知识库 > 问答 > 编程问答 >

php - Is this code safe against mysql injections?

问题描述:

$stmt_update = $db->prepare("UPDATE 2_1_journal SET RecordDay = ?, WHERE Number = ? ");

$stmt->execute(array($amount1, $date_day1));

Is this safe against mysql injections?

If safe, as I understand it is because of "= ?". Then question how "= ?" works/helps

Question is because here http://php.net/manual/en/pdo.prepare.php is written

Prepared statements only project you from SQL injection IF you use the bindParam or bindValue option.

For example if you have a table called users with two fields, username and email and someone updates their username you might run

UPDATE `users` SET `user`='$var'

where $var would be the user submitted text.

Now if you did

<?php

$a=new PDO("mysql:host=localhost;dbname=database;","root","");

$b=$a->prepare("UPDATE `users` SET user='$var'");

$b->execute();

?>

and the user had entered User', email='test for a test the injection would occur and the email would be updated to test as well as the user being updated to User.

In my code (above) there is no bindParams and no bindValue. So do not know if it is safe and if yes, then what part of code ensures it. Please, advice

Update

After reading this How to prevent SQL injection in PHP? have got one more question

Does this code

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = ?');

$stmt->execute(array($name));

the same as this?

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array(':name' => $name));

If yes, then seems it is better to use first code because it is shorter?

网友答案:

Yes, prepared statements are always safe from inject attacks as long as there are no logical flaws, such as using name = '?'.

bindParam is really helpful when you want to bind different datatypes; such as string, integer etc in the query. For eg:

$stmt = $pdo->prepare('SELECT * FROM employees WHERE myID = ?');
$stmt->bindParam( 1, $id, PDO::PARAM_INT );
$stmt->execute();
网友答案:

Prepared statements only project you from SQL injection IF you use the bindParam or bindValue option.

Manual is incorrect here. Passing data into execute() is safe as well. The main thing is using a placeholder to represent the actual data in the query. As long as you're using a placeholder instead of the actual data - you are safe. However, PDO doesn't offer you placeholders for the everything you can add into query, identifiers for example.

Does this code the same as this?

Yes.
Named placeholders are just a "syntax sugar" for a regular ones.
Technically they are the same in either way - so, it's only a matter of taste.
Personally I prefer regular question mark placeholders as they indeed makes the code dramatically shorter, while named placeholders makes it bloated with no benefit.

分享给朋友:
您可能感兴趣的文章:
随机阅读: