Php 使用Medoo清理用户输入
Medoo是一个PHP数据库框架。有人知道在使用insert()函数之前是否需要清理用户输入吗?在主页()上的“为什么使用medoo?”部分,它只是简单地说“防止SQL注入”,但我不知道这是否意味着它可以为您这样做,或者说这样做更容易Php 使用Medoo清理用户输入,php,mysql,database,frameworks,sanitization,Php,Mysql,Database,Frameworks,Sanitization,Medoo是一个PHP数据库框架。有人知道在使用insert()函数之前是否需要清理用户输入吗?在主页()上的“为什么使用medoo?”部分,它只是简单地说“防止SQL注入”,但我不知道这是否意味着它可以为您这样做,或者说这样做更容易 有人知道吗?我似乎更愿意为您这样做,但我更愿意确定。似乎他们正在过滤SQL注入,但您不必担心。[他们已将其列为其主要功能之一]快速查看该类基本上是用于多种数据库类型的代码 他们使用该方法来逃避用户输入 虽然PHP建议 如果您使用quote()构建SQL 语句,强烈
有人知道吗?我似乎更愿意为您这样做,但我更愿意确定。似乎他们正在过滤SQL注入,但您不必担心。[他们已将其列为其主要功能之一]快速查看该类基本上是用于多种数据库类型的代码 他们使用该方法来逃避用户输入 虽然PHP建议 如果您使用quote()构建SQL 语句,强烈建议您使用PDO::prepare()来 准备带有绑定参数的SQL语句,而不是使用 PDO::quote()将用户输入插入SQL语句。准备好 带有绑定参数的语句不仅更便于移植,而且 方便,对SQL注入免疫,但通常更快 在服务器端和客户端都执行插值查询 可以缓存已编译的查询形式
事实上,从代码来看,他们似乎没有使用PDO prepare方法来构建代码,这意味着即使使用引号,黑客也可能使用奇怪的宽字符。请参阅Medoo放弃了对PDO prepare的支持,因为prepare的引用过程不适合当前的序列化数组数据,并且存在一些兼容问题 但是,如果你愿意,你可以使用它
$carries=150;
$color='red';
$sth=$database->pdo->prepare('选择名称、颜色、卡路里
从水果
其中卡路里<:卡路里和颜色=:颜色';
$sth->bindParam(':carries',$carries,PDO::PARAM_INT);
$sth->bindParam(':color',$color,PDO::PARAM_STR,12);
$sth->execute();
1.6.1版在默认情况下似乎不会退出
$database = new Medoo([
"database_type" => "mysql",
"database_name" => "database",
"server" => "localhost",
"username" => "user",
"password" => "1234",
"charset" => "utf8"
]);
// Original proper query and injection
$table_proper_plain = 'TAB_1';
$table_inject_plain = 'TAB_1" UNION SELECT username, password FROM TAB_2;#';
$database->select($table_proper_plain, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM `TAB_1`
// valid, returns rows from TAB_1
// works as expected
$database->select($table_inject_plain, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM `TAB_1` UNION SELECT username, password FROM TAB_2;#"
// valid(!), returns rows from TAB_1 AND TAB_2(!)
// bad, injection successful
// Using method quote on proper and injection query
$table_proper_quote = $database->quote($table_proper_plain);
$table_inject_quote = $database->quote($table_inject_plain);
$database->select($table_proper_quote, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM "'TAB_1'"
// not valid, error 1146: Table 'database.'TAB_1'' doesn't exist
// bad, quoting broke query
$database->select($table_inject_quote, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM "'TAB_1\" UNION SELECT username, password FROM TAB_2;#'"
// not valid, error 1146: Table 'database.'TAB_1'' doesn't exist
// good, injection not successful
从1.4版开始,它们现在可以:
$database = new Medoo([
"database_type" => "mysql",
"database_name" => "database",
"server" => "localhost",
"username" => "user",
"password" => "1234",
"charset" => "utf8"
]);
// Original proper query and injection
$table_proper_plain = 'TAB_1';
$table_inject_plain = 'TAB_1" UNION SELECT username, password FROM TAB_2;#';
$database->select($table_proper_plain, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM `TAB_1`
// valid, returns rows from TAB_1
// works as expected
$database->select($table_inject_plain, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM `TAB_1` UNION SELECT username, password FROM TAB_2;#"
// valid(!), returns rows from TAB_1 AND TAB_2(!)
// bad, injection successful
// Using method quote on proper and injection query
$table_proper_quote = $database->quote($table_proper_plain);
$table_inject_quote = $database->quote($table_inject_plain);
$database->select($table_proper_quote, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM "'TAB_1'"
// not valid, error 1146: Table 'database.'TAB_1'' doesn't exist
// bad, quoting broke query
$database->select($table_inject_quote, ["COL_1","COL_2"]);
// SELECT `COL_1`,`COL_2` FROM "'TAB_1\" UNION SELECT username, password FROM TAB_2;#'"
// not valid, error 1146: Table 'database.'TAB_1'' doesn't exist
// good, injection not successful