本文探讨了PHP PDO中无法将表名或列名作为参数使用的原因,并提出了一种通过手动过滤和白名单机制来动态构建SQL查询的安全方法。
Please see the following: http://us3.php.net/manual/en/book.pdo.php#69304
Table and Column names cannot be replaced by parameters in PDO.
In that case you will simply want to filter and sanitize the data manually. One way to do this is to pass in shorthand parameters to the function that will execute the query dynamically and then use a switch() statement to create a white list of valid values to be used for the table name or column name. That way no user input ever goes directly into the query. So for example:
function buildQuery( $get_var ) { switch($get_var) { case 1: $tbl = 'users'; break; } $sql = "SELECT * FROM $tbl"; }By leaving no default case or using a default case that returns an error message you ensure that only values that you want used get used.
-----------------------------
To understand why binding a table (or column) name doesn't work, you have to understand how the placeholders in prepared statements work: they are not simply substituted in as (suitably escaped) strings, and the resulting SQL executed. Instead, a DBMS asked to "prepare" a statement comes up with a complete query plan for how it would execute that query, including which tables and indexes it would use, which will be the same regardless of how you fill in the placeholders.
The plan for SELECT name FROM my_table WHERE id = :value will be the same whatever you substitute for :value, but the seemingly similar SELECT name FROM :table WHERE id = :valuecannot be planned, because the DBMS has no idea what table you're actually going to select from.
This is not something an abstraction library like PDO can or should work around, either, since it would defeat the 2 key purposes of prepared statements: 1) to allow the database to decide in advance how a query will be run, and use the same plan multiple times; and 2) to prevent security issues by separating the logic of the query from the variable input.
扫一扫
4636
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
