問題描述

在 PDO::Prepare 頁面 上，它指出，><塊引用>

并通過消除手動引用參數的需要來幫助防止 SQL 注入攻擊"

知道了這一點，是否有像 mysql_real_escape_string() 這樣的 PHP 函數負責轉義 PDO 的刺痛?還是 PDO 會替我處理好所有的逃生任務?

編輯

我現在意識到我問錯了問題.我的問題真的是，PDO 為我做什么?"我現在通過這些答案意識到它實際上只消除了對引號進行轉義的需要.但是我仍然需要對傳遞給執行函數的值執行任何其他 PHP 清理調用.比如htmlentities(),strip_tags()...等...

PDO 不會對變量進行轉義.變量和 SQL 命令通過 MySQL 連接獨立傳輸.而SQL 標記器(解析器)從不查看值.值只是逐字復制到數據庫存儲中，而不會造成任何傷害.這就是為什么不需要用準備好的語句編組數據的原因.

請注意，這主要是速度優勢.使用 mysql_real_escape_string() 您首先在 PHP 中編組變量，然后向服務器發送一個低效的 SQL 命令，這必須再次將實際 SQL 命令與值分離，這代價高昂.這就是為什么經常說安全優勢只是隱含的，而不是使用 PDO 的主要原因.

如果您連接 SQL 命令并且實際上不使用準備好的語句(不好！)，那么是的，仍然有 PDO 的轉義函數:$pdo->quote($string)

On the PDO::Prepare page it states,

"and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters"

Knowing this, is there a PHP function like mysql_real_escape_string() that takes care of escaping stings for PDO? Or does PDO take care of all escaping for me?

EDIT

I realize now that I asked the wrong question. My question really was, "What all does PDO take care of for me?" Which I realize now with these answers that it really only removes the need to escape the quotes. But I would still need to do any other PHP sanitize calls on the values that I pass to the execute function. Such as htmlentities(), strip_tags()...etc...

PDO does not escape the variables. The variables and the SQL command are transferred independently over the MySQL connection. And the SQL tokenizer (parser) never looks at the values. Values are just copied verbatim into the database storage without the possibility of ever causing any harm. That's why there is no need to marshall the data with prepared statements.

Note that this is mostly a speed advantage. With mysql_real_escape_string() you first marshall your variables in PHP, then send an inefficient SQL command to the server, which has to costly segregate the actual SQL command from the values again. That's why it's often said that the security advantage is only implicit, not the primary reason for using PDO.

If you concat the SQL command and don't actually use prepared statments (not good!), then yes, there still is an escape function for PDO: $pdo->quote($string)

這篇關于PHP PDO 準備好的語句需要轉義嗎?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！