How to use PDO to query mysql to avoid SQL injection
When using the traditional mysql_connect and mysql_query methods to connect and query the database, if the filtering is not strict, there is a risk of SQL injection. Although the mysql_real_escape_string() function can be used to filter user-submitted values, it also has flaws. By using the prepare method of PHP's PDO extension, you can avoid the risk of sql injection.
PDO (PHP Data Object) is a major new feature added to PHP5, because before PHP 5, php4/php3 had a bunch of database extensions to connect and connect with each database. Processing, such as php_mysql.dll. PHP6 will also use PDO to connect by default, and the mysql extension will be used as an auxiliary. Official address: http://php.net/manual/en/book.pdo.php
1. PDO configuration
Before using the PDO extension, you must first enable this extension. In php.ini, remove the ";" in front of "extension=php_pdo.dll". If you want to connect to the database, you also need to remove the PDO-related database extension. ";" (usually php_pdo_mysql.dll is used), and then restart the Apache server.
extension=php_pdo.dll extension=php_pdo_mysql.dll
2. PDO connects to mysql database
$dbh = new PDO("mysql:host=localhost;dbname=mydb","root","password");The default is not a long connection. If you want to use a long connection to the database, you can add it at the end Add the following parameters:
$dbh = new PDO("mysql:host=localhost;dbname=mydb","root","password","array(PDO::ATTR_PERSISTENT => true) ");
$dbh = null; //(释放)3. PDO setting properties
PDO has three error handling methods:
PDO::ERrmODE_SILENT does not display error messages, only sets error codes
PDO::ERrmODE_WARNING displays warning errors
PDO::ERrmODE_EXCEPTION throws an exception
You can use the following statement to set the error handling method to throw an exception
$db->setAttribute(PDO::ATTR_ERrmODE, PDO::ERrmODE_EXCEPTION);
Because different database pairs return The case of field names is handled differently, so PDO provides the PDO::ATTR_CASE setting item (including PDO::CASE_LOWER, PDO::CASE_NATURAL, PDO::CASE_UPPER) to determine the case of the returned field name.
Specify the corresponding value in php for the NULL value returned by the database by setting the PDO::ATTR_ORACLE_NULLS type (including PDO::NULL_NATURAL, PDO::NULL_EmpTY_STRING, PDO::NULL_TO_STRING).
4. Common PDO methods and their applications
PDO::query() is mainly used for records Operations that return results, especially SELECT operations
PDO::exec() is mainly for operations that do not return a result set, such as INSERT, UPDATE and other operations
PDO::prepare() is mainly a preprocessing operation. You need to use $rs->execute() to execute the SQL statement in the preprocessing. This method can bind parameters and is more powerful (preventing sql injection Just rely on this)
PDO::lastInsertId() returns the last insert operation, the primary key column type is the last auto-increment ID
PDOStatement::fetch() is used to obtain a record
PDOStatement::fetchAll() is used to obtain all record sets into a collection
PDOStatement::fetchColumn() is a field of the first record specified in the fetch result. The default is the first field.
PDOStatement::rowCount(): Mainly used The result set affected by DELETE, INSERT, and UPDATE operations on PDO::query() and PDO::prepare() is invalid for the PDO::exec() method and SELECT operation.
5.PDO operation MYSQL database instance
<?php
$pdo = new PDO("mysql:host=localhost;dbname=mydb","root","");
if($pdo -> exec("insert into mytable(name,content) values('fdipzone','123456')")){
echo "insert success";
echo $pdo -> lastinsertid();
}
?><?php
$pdo = new PDO("mysql:host=localhost;dbname=mydb","root","");
$rs = $pdo -> query("select * from table");
$rs->setFetchMode(PDO::FETCH_ASSOC); //关联数组形式
//$rs->setFetchMode(PDO::FETCH_NUM); //数字索引数组形式
while($row = $rs -> fetch()){
print_r($row);
}
?><?php
foreach( $db->query( "SELECT * FROM table" ) as $row )
{
print_r( $row );
}
?>Statistics on how many rows of data there are:
<?php $sql="select count(*) from table"; $num = $dbh->query($sql)->fetchColumn(); ?>
prepare method:
<?php
$query = $dbh->prepare("select * from table");
if ($query->execute()) {
while ($row = $query->fetch()) {
print_r($row);
}
}
?>prepare parameterized query:
<?php
$query = $dbh->prepare("select * from table where id = ?");
if ($query->execute(array(1000))) {
while ($row = $query->fetch(PDO::FETCH_ASSOC)) {
print_r($row);
}
}
?>When using PDO to access the MySQL database , real prepared statements are not used by default. To solve this problem, you must disable the emulation effects of prepared statements. The following is an example of using PDO to create a link:
<?php $dbh = new PDO('mysql:dbname=mydb;host=127.0.0.1;charset=utf8', 'root', 'pass'); $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); ?>
setAttribute()这一行是强制性的,它会告诉 PDO 禁用模拟预处理语句,并使用 real parepared statements 。这可以确保SQL语句和相应的值在传递到mysql服务器之前是不会被PHP解析的(禁止了所有可能的恶意SQL注入攻击)。
虽然你可以配置文件中设置字符集的属性(charset=utf8),但是需要格外注意的是,老版本的 PHP( < 5.3.6)在DSN中是忽略字符参数的。
完整的代码使用实例:
<?php
$dbh = new PDO("mysql:host=localhost; dbname=mydb", "root", "pass");
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); //禁用prepared statements的仿真效果
$dbh->exec("set names 'utf8'");
$sql="select * from table where username = ? and password = ?";
$query = $dbh->prepare($sql);
$exeres = $query->execute(array($username, $pass));
if ($exeres) {
while ($row = $query->fetch(PDO::FETCH_ASSOC)) {
print_r($row);
}
}
$dbh = null;
?>上面这段代码就可以防范sql注入。为什么呢?
当调用 prepare() 时,查询语句已经发送给了数据库服务器,此时只有占位符 ? 发送过去,没有用户提交的数据;当调用到 execute()时,用户提交过来的值才会传送给数据库,它们是分开传送的,两者独立的,SQL攻击者没有一点机会。
但是我们需要注意的是以下几种情况,PDO并不能帮助你防范SQL注入。
不能让占位符 ? 代替一组值,这样只会获取到这组数据的第一个值,如:
select * from table where userid in ( ? );
如果要用in來查找,可以改用find_in_set()实现
$ids = '1,2,3,4,5,6'; select * from table where find_in_set(userid, ?);
不能让占位符代替数据表名或列名,如:
select * from table order by ?;
不能让占位符 ? 代替任何其他SQL语法,如:
select extract( ? from addtime) as mytime from table;
本篇文章如何使用PDO查询mysql避免SQL注入的方法,更多相关内容请关注php中文网。
相关推荐:
关于HTML5 localStorage and sessionStorage 之间的区别
The above is the detailed content of How to use PDO to query mysql to avoid SQL injection. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
Solution to PHP Fatal error: Call to undefined method PDO::prepare() in
Jun 22, 2023 pm 06:40 PM
PHP is a popular web development language that has been used for a long time. The PDO (PHP Data Object) class integrated in PHP is a common way for us to interact with the database during the development of web applications. However, a problem that some PHP developers often encounter is that when using the PDO class to interact with the database, they receive an error like this: PHPFatalerror:CalltoundefinedmethodPDO::prep
PHP and PDO: How to perform bulk inserts and updates
Jul 28, 2023 pm 07:41 PM
PHP and PDO: How to perform batch inserts and updates Introduction: When using PHP to write database-related applications, you often encounter situations where you need to batch insert and update data. The traditional approach is to use loops to perform multiple database operations, but this method is inefficient. PHP's PDO (PHPDataObject) provides a more efficient way to perform batch insert and update operations. This article will introduce how to use PDO to implement batch insert and update operations. 1. Introduction to PDO: PDO is PH
PHP PDO vs. mysqli: compare and contrast
Feb 19, 2024 pm 12:24 PM
PDOPDO is an object-oriented database access abstraction layer that provides a unified interface for PHP, allowing you to use the same code to interact with different databases (such as Mysql, postgresql, oracle). PDO hides the complexity of underlying database connections and simplifies database operations. Advantages and Disadvantages Advantages: Unified interface, supports multiple databases, simplifies database operations, reduces development difficulty, provides prepared statements, improves security, supports transaction processing Disadvantages: performance may be slightly lower than native extensions, relies on external libraries, may increase overhead, demo code uses PDO Connect to mysql database: $db=newPDO("mysql:host=localhost;dbnam
PHP and PDO: How to handle JSON data in a database
Jul 29, 2023 pm 05:17 PM
PHP and PDO: How to handle JSON data in databases In modern web development, processing and storing large amounts of data is a very important task. With the popularity of mobile applications and cloud computing, more and more data are stored in databases in JSON (JavaScript Object Notation) format. As a commonly used server-side language, PHP's PDO (PHPDataObject) extension provides a convenient way to process and operate databases. Book
PHP and PDO: How to perform paging queries and display data
Jul 29, 2023 pm 04:10 PM
PHP and PDO: How to query and display data in pages When developing web applications, querying and displaying data in pages is a very common requirement. Through paging, we can display a certain amount of data at a time, improving page loading speed and user experience. In PHP, the functions of paging query and display of data can be easily realized using the PHP Data Object (PDO) library. This article will introduce how to use PDO in PHP to query and display data by page, and provide corresponding code examples. 1. Create database and data tables
Nginx basic security knowledge: preventing SQL injection attacks
Jun 10, 2023 pm 12:31 PM
Nginx is a fast, high-performance, scalable web server, and its security is an issue that cannot be ignored in web application development. Especially SQL injection attacks, which can cause huge damage to web applications. In this article, we will discuss how to use Nginx to prevent SQL injection attacks to protect the security of web applications. What is a SQL injection attack? SQL injection attack is an attack method that exploits vulnerabilities in web applications. Attackers can inject malicious code into web applications
How to connect to Redis database using PDO
Jul 28, 2023 pm 04:29 PM
How to use PDO to connect to the Redis database. Redis is an open source, high-performance, in-memory storage key-value database that is commonly used in cache, queue and other scenarios. In PHP development, using Redis can effectively improve the performance and stability of applications. Through the PDO (PHPDataObjects) extension, we can connect and operate the Redis database more conveniently. This article will introduce how to use PDO to connect to a Redis database, with code examples. Install the Redis extension at the beginning
PHP and PDO: How to perform a full-text search in a database
Jul 30, 2023 pm 04:33 PM
PHP and PDO: How to perform a full-text search in a database In modern web applications, the database is a very important component. Full-text search is a very useful feature when we need to search for specific information from large amounts of data. PHP and PDO (PHPDataObjects) provide a simple yet powerful way to perform full-text searches in databases. This article will introduce how to use PHP and PDO to implement full-text search, and provide some sample code to demonstrate the process. first
