Question

所以我看了很多帖子，网站和视频，现在我很困惑！我似乎无法做到这一点。你如何在这个PHP / PDO中停止注入。我有这个代码可以工作，但它允许注入。

//*THIS WORKS BUT ALLOWS INJECTION
//*

//The variable $word comes from another php file where the search is created.
public function getAllCards($word) {

    $sql = "SELECT * FROM carddbtable WHERE businessNameDB='".$word."'";

foreach ($this->conn->query($sql) as $row) {

    echo json_encode($row)."<br>"."<br>";
}

$db = null;
}

使用这个新代码我试图删除变量＆＃34; $ word＆＃34;来自＆＃34; SELECT * FROM＆＃34;声明停止注射并添加＆＃34;准备＆＃34;并且错误检查和＆＃34;执行＆＃34;声明，但我无法做到。我该怎么做？仅供参考，这是一个GoDaddy共享服务器。

//Getting the search "word" from the GetCards.php
 public function getAllCards($word) {

    //Empty var to store all returned info from db
    $returnArray = array();


    // sql statement to be executed 
    $sql = "SELECT * FROM carddbtable WHERE businessNameDB=':word";

    // prepare to be executed 
    $statement = $this->conn->prepare($sql);


    // error occurred
    if (!$statement) {
        throw new Exception($statement->error);
    }


    // execute statement
    $statement->execute( :word => '$word' );


//run the query
foreach ($this->conn->query($statement) as $row) {

echo json_encode($row)."<br>"."<br>";

}

    // store all appended $rows in $returnArray to be sent to app
    $returnArray[] = $row;   
}

Answer 1

你几乎得到了它。与许多数据库驱动程序一样，PDO将负责所有转义，因此只需尽可能简单地保留占位符：

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<div class="scrollmenu">
  <a href="#home">Home</a>
  <a href="#news">News</a>
  <a href="#contact">Contact</a>
  <a href="#about">About</a>
  <a href="#support">Support</a>
  <a href="#blog">Blog</a>
  <a href="#tools">Tools</a>
  <a href="#base">Base</a>
  <a href="#custom">Custom</a>
  <a href="#more">More</a>
  <a href="#logo">Logo</a>
  <a href="#friends">Friends</a>
  <a href="#partners">Partners</a>
  <a href="#people">People</a>
  <a href="#work">Work</a>
</div>

那里不需要$sql = "SELECT * FROM carddbtable WHERE businessNameDB=:word";。

现在当你'一个PDO语句时，你得到一个你需要捕获到变量中的结果：

execute()

正如Ibu和chris85所指出的，$res = $statement->execute([ 'word' => $word ]);部分也是不正确的。避免引用单个变量，它不仅没有意义，它可能会带来麻烦，就像你绑定到字面上的美元符号字，而不是有问题的值。这对于'$word'来说是双倍的。

然后你从中获取。现在你在语句上调用"$word"，这是不正确的。

另一件需要注意的事情就是习惯于制作像query()这样的丢失变量，因为这些只是垃圾。而是直接传递参数：

$sql

如果您正在处理大量这些事情，这可以避免意外混淆$statement = $this->conn->prepare("SELECT * FROM carddbtable WHERE businessNameDB=:word");和$sql3。

Answer 2

这就是我现在所拥有的。

  //Getting the search "word" from the GetCards.php
 public function getAllCards($word) {

    //Empty var to store all returned info from db
    $returnArray = array();


    //  prepare to be executed sql statement to be executed if not entered word
    $statement = $this->conn->prepare("SELECT * FROM carddbtable WHERE businessNameDB=:word");



    // error occurred
//        if (!$statement) {
//           throw new Exception($statement->error);

//        }


    // execute statement
    $res = $statement->execute([ 'word' => $word ]);


//run the query
foreach ($this->conn->query($res) as $row) {

echo json_encode($row)."<br>"."<br>";

}

    // store all appended $rows in $returnArray to be sent to app
    $returnArray[] = $row;   

}

Answer 3

我有这个工作

//*FUNCTION TO GET CARD FROM SEARCH WORD CALLED FROM GetCards.php   
public function getAllCards($word) {

//Connect to db using the PDO not PHP
$db = new PDO('mysql:host=localhost;dbname=xxxx', 'xxxx', 'xxxx');

//Here we prepare the SELECT statement from the search word place holder :word
$sql = $db->prepare('SELECT * FROM carddbtable WHERE businessNameDB=:word');

//We execute the $sql with the search word variable"$word"
$sql->execute([':word' => $word]);

//Looping through the results
foreach ($sql as $row)

//Print to screen
echo json_encode($row). "<br>"."<br>";
}

你如何在这个PHP / PDO中停止注入

3 个答案: