Community Learn Tools Library Leisure
search
English
Home > List of blog posts > 0512 作业
Blogger Information
Blog 34
fans 0
comment 0
visits 18410
Special Recommendation
More>
Related recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
0512 作业
千山暮雪
Original
474 people have browsed it

1. pdo预处理机制在防sql注入的作用?

$sql = “select from users where username=’{$user}’ and password=’{$pwd}’”
假定用户输入的帐号为’ or 1=1 #及密码任意
PDO会拼接字符串结果如下:
“select from users where username=’’ or 1=1 #’ and password=’qetad’”
条件被修改为username=’’ or 1=1这个结果为真, 密码被#注释了,导致无需用户名和密码就能通过执行.

  1. $dsn = "mysql:host=127.0.0.1;dbname=user;";
  2. $username = "root";
  3. $password = "root123";
  5. $pdo = new PDO($dsn, $username, $password);
  7. //假定用户输入的帐号为' or 1=1 #及密码任意
  8. $user = "' or 1=1 #";
  9. $pwd = "qetad";
  10. $sql = "select * from `users` where `username`='{$user}' and `password`='{$pwd}'";
  11. //rowCount影响行数
  12. echo $stmt->rowCount(); //输出 104

当使用prepare时,prepare语句服务器发送一条sql给mysql服务器,mysql服务器会解析这条sql。
excute语句会把绑定的参数当做纯参数赋值给prepare。哪怕参数中有sql命令也不会被执行,从而实现防治sql注入。

  1. $dsn = "mysql:host=127.0.0.1;dbname=user;";
  2. $username = "root";
  3. $password = "root123";
  5. $pdo = new PDO($dsn, $username, $password);
  7. //假定用户输入的帐号为' or 1=1 #及密码任意
  8. $user = "' or 1=1 #";
  9. $pwd = "qetad";
  10. $sql = "select * from `users` where `username`=:user and `password`=:pwd";
  11. //使用prepare
  12. $stmt = $pdo->prepare($sql);
  13. $stmt->bindParam('user',$user);
  14. $stmt->bindParam('pwd', $pwd);
  15. $stmt->execute();
  16. //rowCount影响行数
  17. echo $stmt->rowCount();  // 0

2. pdo curd预处理? 扩展:pdo 预处理中bindValue与bindParam的不同之处有哪些?

  • bindValue
    PDOStatement::bindValue ($param, $value, $type = PDO::PARAM_STR) bool
    绑定一个值到用作预处理的 SQL 语句中的对应命名占位符或问号占位符

  • bindParam
    PDOStatement::bindParam ($param, &$var, $type = PDO::PARAM_STR, $maxLength = null, $driverOptions = null) bool
    绑定一个PHP变量到用作预处理的SQL语句中的对应命名占位符或问号占位符。 不同于 PDOStatement::bindValue() ,此变量作为引用被绑定,并只在 PDOStatement::execute() 被调用的时候才取其值。
    bindParam不能绑定具体的数值.

  1. $dsn = "mysql:host=127.0.0.1;dbname=user;";
  2. $username = "root";
  3. $password = "root123";
  5. $pdo = new PDO($dsn, $username, $password);
  6. // 使用问号点位符
  7. $sql1 = "select * from `users` where `id`=:id";
  8. $stmt1 = $pdo->prepare($sql1);
  9. $id = 1;
  10. $stmt1->bindValue('id',$id);
  11. $stmt1->bindParam('id',$id);
  12. $stmt1->execute();
  14. // 使用命名点位符
  15. $sql2 = "select * from `users` where `id`=?";
  16. $stmt2 = $pdo->prepare($sql1);
  17. $stmt2->bindValue(1,1);
  18. $stmt2->bindParam(1,1);  //报错
  19. $stmt2->execute();
Correcting teacher:灭绝师太灭绝师太

Correction status:qualified

Teacher's comments:
Statement of this Website
The copyright of this blog article belongs to the blogger. Please specify the address when reprinting! If there is any infringement or violation of the law, please contact admin@php.cn Report processing!
All comments Speak rationally on civilized internet, please comply with News Comment Service Agreement
0 comments
Author's latest blog post