怎样找靠谱的黑客联系 *** -PDO防注入原理剖析及其应用PDO的常见问题
大家都了解,要是有效恰当应用PDO,能够大部分避免 SQL注入的造成,文中关键回应下列2个难题:
为何要应用PDO而不是mysql_connect?
为什么PDO能防注入?
应用PDO防注入的情况下应当需注意哪些?
一、为什么要优先选择应用PDO?
PHP指南上说得很清晰:
Prepared statements and stored procedures
Many of the more mature databases support the concept of prepared statements. What are they? They can be 哪里可以寻找黑客 thought of as a kind of compiled template for the SQL that an application wants to run, that can be customized using variable parameters. Prepared statements offer two major benefits:
The query only needs to be parsed (or prepared) once, but can be executed multiple times with the same or different parameters. When the query is prepared, the database will 哪里可以寻找黑客 *** yze, compile and optimize its plan for executing the query. For complex queries this process can take up enough time that it will noticeably slow down an application if there is a need to repeat the same query many times with different parameters. By using a prepared statement the application avoids repeating the *** yze/compile/optimize cycle. This means that prepared 哪里可以寻找黑客 statements use fewer resources and thus run faster.
The parameters to prepared statements don\\'t need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL 哪里可以寻找黑客 injection is still possible).
即应用PDO的prepare *** ,主要是提升 同样SQL模版查看特性、阻拦SQL注入
另外,PHP指南中得出了警示信息内容
Prior to PHP 5.3.6, this element was silently ignored. The same behaviour can be partly replicated with the PDO::MYSQL_ATTR_INIT_COMMAND driver option, as the following example shows.
Warning
The method in the below example can only be used with character 哪里可以寻找黑客 sets that share the same lower 7 bit representation as ASCII, such as ISO-8859-1 and UTF-8. Users using character sets that have different representations (such as UTF-16 or Big5) must use the charset option provided in PHP 5.3.6 and later versions.
意思是说,在PHP 5.3.6及之前版本号中,并不兼容在DSN中的charset界定,而应当应用PDO::MYSQL_ATTR_INIT_COMMAND设定原始SQL, 即大家常见的 set names gbk命令。
我 见到一些程序流程,仍在试着应用addslashes做到防注入的目地,却不知道那样实际上难题大量, 敬请看http://www.lorui.com/addslashes-mysql_escape_string- mysql_real_eascape_string.html
也有一些作法:在实行数据库前,将SQL中的select, union, ....这类的关键字清除掉。这类作法显而易见是十分不正确的处理 *** ,假如递交的文章正文中的确包括 the students\\'s union , 更换后将伪造原本的內容,滥杀,不可取。
二、为什么PDO能防SQL注入?
请首先看下列PHP编码:
相关文章
*** 黑客在在哪里啊-了解Android安全性机制文中从Android系统架构图下手,剖析Android的安全性机制以SEAndroid,最终得出一些Android安全性现况和普遍的安全性解决 *** 。1、Android系统架构图Android...
黑客知识网 62 2020-11-12
怎样找靠谱的黑客联系 *** -PDO防注入原理剖析及其应用PDO的常见问题大家都了解,要是有效恰当应用PDO,能够大部分避免SQL注入的造成,文中关键回应下列2个难题:为何要应用PDO而不是mysql_connect?为什么PDO能防注入?应用PDO防注入的情况下应当需注意哪些?一、为什么要优先选择应用PDO?PHP指南上...
黑客知识网 106 2020-11-12
留言评论
| 留言与评论(共有 0 条评论) |
|
版权声明
本文仅代表作者观点,不代表本站立场。
本文系作者授权发表,未经许可,不得转载。
