PHP PDO语句可以接受表或列名作为参数吗?
为什么不能将表名传递给准备好的PDO语句PHP PDO语句可以接受表或列名作为参数吗?,php,pdo,Php,Pdo,为什么不能将表名传递给准备好的PDO语句 $stmt = $dbh->prepare('SELECT * FROM :table WHERE 1'); if ($stmt->execute(array(':table' => 'users'))) { var_dump($stmt->fetchAll()); } 是否有其他安全的方法将表名插入SQL查询?有了保险箱,我的意思是我不想这样做 $sql = "SELECT * FROM $table WHERE 1"
$stmt = $dbh->prepare('SELECT * FROM :table WHERE 1');
if ($stmt->execute(array(':table' => 'users'))) {
var_dump($stmt->fetchAll());
}
$sql = "SELECT * FROM $table WHERE 1"
使用前者本质上并不比后者更安全,您需要清理输入,无论它是参数数组的一部分还是简单变量。因此,如果在使用
$table$table$tableswitch()function buildQuery( $get_var )
{
switch($get_var)
{
case 1:
$tbl = 'users';
break;
}
$sql = "SELECT * FROM $tbl";
}
:value从:表中选择名称,其中id=:value这也不是像PDO这样的抽象库可以或应该解决的问题,因为它会破坏准备语句的两个关键目的:1)允许数据库提前决定如何运行查询,并多次使用相同的计划;2)通过将查询逻辑与变量输入分离来防止安全问题。我看到这是一篇老文章,但我发现它很有用,我想分享一个类似@kzqai建议的解决方案: 我有一个函数,它接收两个参数,比如
function getTableInfo($inTableName, $inColumnName) {
....
}
$allowed_tables_array = array('tblTheTable');
$allowed_columns_array['tblTheTable'] = array('the_col_to_check');
if(in_array($inTableName, $allowed_tables_array) && in_array($inColumnName,$allowed_columns_array[$inTableName]))
{
$sql = "SELECT $inColumnName AS columnInfo
FROM $inTableName";
$stmt = $pdo->prepare($sql);
$stmt->execute();
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
}
我有一部分想知道,您是否可以提供您自己的自定义消毒功能,简单如下:
$value = preg_replace('/[^a-zA-Z_]*/', '', $value);
我还没有仔细考虑过,但似乎除了字符和下划线之外,删除任何东西都可能有效。至于这个线程中的主要问题,其他帖子清楚地说明了为什么我们在准备语句时不能将值绑定到列名,所以这里有一个解决方案:
class myPdo{
private $user = 'dbuser';
private $pass = 'dbpass';
private $host = 'dbhost';
private $db = 'dbname';
private $pdo;
private $dbInfo;
public function __construct($type){
$this->pdo = new PDO('mysql:host='.$this->host.';dbname='.$this->db.';charset=utf8',$this->user,$this->pass);
if(isset($type)){
//when class is called upon, it stores column names and column types from the table of you choice in $this->dbInfo;
$stmt = "select distinct column_name,column_type from information_schema.columns where table_name='sometable';";
$stmt = $this->pdo->prepare($stmt);//not really necessary since this stmt doesn't contain any dynamic values;
$stmt->execute();
$this->dbInfo = $stmt->fetchAll(PDO::FETCH_ASSOC);
}
}
public function pdo_param($col){
$param_type = PDO::PARAM_STR;
foreach($this->dbInfo as $k => $arr){
if($arr['column_name'] == $col){
if(strstr($arr['column_type'],'int')){
$param_type = PDO::PARAM_INT;
break;
}
}
}//for testing purposes i only used INT and VARCHAR column types. Adjust to your needs...
return $param_type;
}
public function columnIsAllowed($col){
$colisAllowed = false;
foreach($this->dbInfo as $k => $arr){
if($arr['column_name'] === $col){
$colisAllowed = true;
break;
}
}
return $colisAllowed;
}
public function q($data){
//$data is received by post as a JSON object and looks like this
//{"data":{"column_a":"value","column_b":"value","column_c":"value"},"get":"column_x"}
$data = json_decode($data,TRUE);
$continue = true;
foreach($data['data'] as $column_name => $value){
if(!$this->columnIsAllowed($column_name)){
$continue = false;
//means that someone possibly messed with the post and tried to get data from a column that does not exist in the current table, or the column name is a sql injection string and so on...
break;
}
}
//since $data['get'] is also a column, check if its allowed as well
if(isset($data['get']) && !$this->columnIsAllowed($data['get'])){
$continue = false;
}
if(!$continue){
exit('possible injection attempt');
}
//continue with the rest of the func, as you normally would
$stmt = "SELECT DISTINCT ".$data['get']." from sometable WHERE ";
foreach($data['data'] as $k => $v){
$stmt .= $k.' LIKE :'.$k.'_val AND ';
}
$stmt = substr($stmt,0,-5)." order by ".$data['get'];
//$stmt should look like this
//SELECT DISTINCT column_x from sometable WHERE column_a LIKE :column_a_val AND column_b LIKE :column_b_val AND column_c LIKE :column_c_val order by column_x
$stmt = $this->pdo->prepare($stmt);
//obviously now i have to bindValue()
foreach($data['data'] as $k => $v){
$stmt->bindValue(':'.$k.'_val','%'.$v.'%',$this->pdo_param($k));
//setting PDO::PARAM... type based on column_type from $this->dbInfo
}
$stmt->execute();
return $stmt->fetchAll(PDO::FETCH_ASSOC);//or whatever
}
}
$pdo = new myPdo('anything');//anything so that isset() evaluates to TRUE.
var_dump($pdo->q($some_json_object_as_described_above));
旁注:我添加了这个答案(作为一个社区wiki),因为它通常用于结束问题,有些人在试图绑定数据库时发布了类似的问题,而不是一个表和/或列。考虑到第一个选项不起作用,你必须使用某种形式的动态查询构建。是的,上面提到的问题是不起作用的。我试图描述为什么这样做并不十分重要。+1表示白名单选项,而不是使用任何类型的动态方法。另一种选择可能是将可接受的表名映射到一个数组,该数组的键对应于潜在的用户输入(例如,
数组('u'=>'users','t'=>'table','n'=>'nonsensitive_data')默认值。如果使用此模式,您应该将一个案例
标记为默认
,或者添加一个明确的错误案例,例如默认:抛出新的InvalidArgumentException
我在想一个简单的if(在数组($tbl,['users','products',…]){$sql=“SELECT*FROM$tbl”;}
。谢谢你的主意。我错过了mysql\u real\u escape\u string()
。也许在这里我可以说出来,而不用有人插嘴说“但你不需要PDO”另一个问题是动态表名破坏了SQL inspection.True,但没有考虑PDO的prepare语句模拟(这可能会使SQL对象标识符参数化,尽管我仍然同意它可能不应该)@eggyal我猜模拟的目的是使标准功能在所有DBMS风格上都能工作,而不是添加全新的功能。标识符的占位符还需要一种任何DBMS都不直接支持的独特语法。PDO是一个相当低级的包装器,例如,它不为TOP/LIMIT
/OFFSET
子句,因此这将有点不适合作为一个功能。MySQL表名可以包含其他字符。请参阅@PhilLaNasa,实际上有些人认为它们应该(需要参考
CREATE DATABASE IF NOT EXISTS :database