将mysql_query转换为PDO语句

时间:2013-05-17 19:27:34

标签: php mysql sql-injection

虽然有大量的PDO用法示例,但我无法成功地将mysql_query转换为PDO语句。

这是有效但不安全的:

<?php
$db = mysql_connect("localhost","username","passphrase");
mysql_select_db("database",$db);
$cat= $_GET["cat"];
/* grab a row and print what we need */
$result = mysql_query("SELECT * FROM cat WHERE cat = '$cat' ",$db);
$myrow3 = mysql_fetch_row($result);
echo "$myrow3[2]";
/* here's an array */
echo '<div class="container">';
$q = mysql_query("SELECT * FROM name WHERE Field4 = '$cat'",$db);
while ($res = mysql_fetch_array($q)){
    echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';
}
echo '</div>';
?>

到目前为止,我尝试将mysql_query *转换为基于How to prevent SQL injection in PHP?的PDO语句。目前页面不显示,任何东西。任何见解都将不胜感激!

<?php

$pdo = new PDO('mysql:host=localhost;dbname=database','username','password');
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$cat= $_GET["cat"];
/* let try grabbing one of those rows, do not think an array should be here? */
$stmt = $pdo->prepare('SELECT * FROM cat WHERE cat = :cat');
$stmt->bindParam(':cat', $cat);
$result = $stmt->fetch(PDO::FETCH_ASSOC);
echo $result[2];
/* Now we need an array similar to what we had before */
echo '<div class="container">';
$stmt = $pdo->prepare('SELECT * FROM name WHERE Field4 = :Field4');
while ($res = $stmt->execute(array(':cat' => $cat))) {
    echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';
}
echo '</div>';
?>

1 个答案:

答案 0 :(得分:3)

你这样做的方式,首先是关闭,并不能保护你。

PDO声明应该如下(来自手册):

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

所以,举个例子:

$stmt = $pdo->prepare('SELECT * FROM cat WHERE cat = :cat');
$stmt->bindParam(':cat', $cat);
$result = $stmt->fetch(PDO::FETCH_ASSOC);

或者你可以这样做:

$stmt = $pdo->prepare("SELECT * FROM cat where cat = ?");
if ($stmt->execute(array($cat)) {
  while ($row = $stmt->fetch()) {
    //print stuff or whatever
  }
}

最后,在你的最后一部分:

while $stmt->execute(array(':cat' => $cat));
echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';

看起来$ res似乎没有设定。它应该看起来像:

while ($res = $stmt->execute(array(':cat' => $cat)) {
    echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . 
         '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';
}
相关问题
最新问题