转换为PDO参数绑定

时间:2014-12-27 07:58:41

标签: php mysql pdo

我正在使用SensioLabsInsight来分析我的代码中的任何漏洞。

我收到了几个可能的sql注入错误,它建议使用PDO参数绑定。这很好,因为我已经在我的db驱动程序中使用PDO。

现在我的模型传递了一个$data数组,然后检查数组中的特定值,以便添加到sql查询(如果存在),如下所示:

public function getDownloads($data = array()) {
    $sql = "
        SELECT * 
        FROM {$this->db->prefix}download d 
        LEFT JOIN {$this->db->prefix}download_description dd 
            ON (d.download_id = dd.download_id) 
        WHERE dd.language_id = '" . (int)$this->config->get('config_language_id') . "'";

    if (!empty($data['filter_name'])) {
        $sql .= " AND dd.name LIKE '" . $this->db->escape($data['filter_name']) . "%'";
    }

    $sort_data = array(
        'dd.name',
        'd.remaining'
    );

    if (isset($data['sort']) && in_array($data['sort'], $sort_data)) {
        $sql .= " ORDER BY " . $data['sort'];   
    } else {
        $sql .= " ORDER BY dd.name";    
    }

    if (isset($data['order']) && ($data['order'] == 'DESC')) {
        $sql .= " DESC";
    } else {
        $sql .= " ASC";
    }

    if (isset($data['start']) || isset($data['limit'])) {
        if ($data['start'] < 0) {
            $data['start'] = 0;
        }           

        if ($data['limit'] < 1) {
            $data['limit'] = 20;
        }   

        $sql .= " LIMIT " . (int)$data['start'] . "," . (int)$data['limit'];
    }

    $query = $this->db->query($sql);

    return $query->rows;
}

SensioLabsInsight分析引用的错误仅引用$ data ['sort']子句作为可能的注入点。

我的问题是,在创建prepare语句时是否需要测试$ data数组的存在,或者如果数组值为空,它只返回null。

我建议的带参数绑定的新查询看起来像这样:

public function getDownloads($data = array()) {
    $sql = "
        SELECT * 
        FROM {$this->db->prefix}download d 
        LEFT JOIN {$this->db->prefix}download_description dd 
            ON (d.download_id = dd.download_id) 
        WHERE dd.language_id = '" . (int)$this->config->get('config_language_id') . "'";

    if (!empty($data['filter_name'])) {
        $sql .= " AND dd.name LIKE :filter_name%";
    }

    $sort_data = array(
        'dd.name',
        'd.remaining'
    );

    if (isset($data['sort']) && in_array($data['sort'], $sort_data)) {
        $sql .= " ORDER BY :sort";  
    } else {
        $sql .= " ORDER BY dd.name";    
    }

    if (isset($data['order']) && ($data['order'] == 'DESC')) {
        $sql .= " DESC";
    } else {
        $sql .= " ASC";
    }

    if (isset($data['start']) || isset($data['limit'])) {
        if ($data['start'] < 0) {
            $data['start'] = 0;
        }           

        if ($data['limit'] < 1) {
            $data['limit'] = 20;
        }   

        $sql .= " LIMIT :start, :limit";
    }

    $this->db->prepare($sql);
    $this->db->bindParam(':filter_name', $data['filter_name']);
    $this->db->bindParam(':sort', $data['sort']);
    $this->db->bindParam(':start', $data['start'], PDO::PARAM_INT);
    $this->db->bindParam(':limit', $data['limit'], PDO::PARAM_INT);

    $query = $this->db->execute();

    return $query->rows;
}

这是否可以正常工作,或者参数绑定是否需要在if / else条件中移动?

0 个答案:

没有答案
相关问题
最新问题