将SQL转换为PDO以防止SQL注入[重复]

This question already has an answer here:

How can I prevent SQL injection in PHP? 28 answers

I am still new to php and MySQL as far as development is concerned. I would love some advice to make sure I am doing everything correctly. I have one page that I believe is converted the correct way and one page that I need to convert.

Here is the one that I have setup is this correct?

<?php $title = 'SEARCH'; $page = '';include 'includes/header.php';?>

<body>

<?php include 'includes/nav.php'; ?>

<?php
$q = $_GET['q'];

// CONNECT TO THE DATABASE
$DB_NAME = 'code_storage';
$DB_HOST = 'localhost';
$DB_USER = 'user';
$DB_PASS = 'pass';

try {
    $dbcon = new PDO("mysql:host=$DB_HOST;dbname=$DB_NAME", $DB_USER, $DB_PASS);
    //echo 'Connected to database';

    $sql = <<<SQL
    SELECT * 
    FROM snippets
    WHERE CODE_NAME LIKE '%$q%' OR
    CODE_DESC LIKE '%$q%' OR
    CODE_TAGS LIKE '%$q%' OR
    CODE_USAGE LIKE '%$q%'
 SQL;
    echo '<div class="row">';
    echo    '<div class="panel">';
        printf("Your search for <b>$q</b> returned %d records.
", $dbcon->query($sql)->rowCount());
    echo    '</div>';
    echo '</div>';

    foreach ($dbcon->query($sql) as $row) {
        //print $row['CODE_NAME'] . '<br/>' . "
";
        echo '   <div class="row">' . "
";
        echo '       <div class="large-12 columns">' . "
";
        echo '              <b><a href="results.php?id=' . $row['_ID'] . '">' . $row['CODE_NAME'] . '</a></b><br/><br/>' . "
";
        echo '       </div>' . "
";
        echo '   </div>' . '<br/><br/>' . "
";
    }


    $dbcon = null;
}
catch(PDOException $e)
{
    echo $e->getMessage();
}
 ?>
<?php include 'includes/footer.php';?>

And here is the one I still need to convert this is the once I could really use some help with

<?php

// CONNECT TO THE DATABASE
$DB_NAME = 'code_storage';
$DB_HOST = 'localhost';
$DB_USER = 'user';
$DB_PASS = 'pass';


$mysqli = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);

if (mysqli_connect_errno()) {
    printf("Connect failed: %s
", mysqli_connect_error());
    exit();
}

// Fix for the ' and " 

$_POST['name'] = $mysqli->real_escape_string($_POST['name']);
$_POST['desc'] = $mysqli->real_escape_string($_POST['desc']);
$_POST['usage'] = $mysqli->real_escape_string($_POST['usage']);
$_POST['code'] = $mysqli->real_escape_string($_POST['code']);
$_POST['tags'] = $mysqli->real_escape_string($_POST['tags']);

$sql = <<<SQL
    INSERT 
    INTO snippets
    (CODE_NAME,CODE_DESC,CODE_USAGE,CODE_SYNTAX,CODE_TAGS)
    VALUES
    ('$_POST[name]', '$_POST[desc]', '$_POST[usage]', '$_POST[code]', '$_POST[tags]');
SQL;

if(!$result = $mysqli->query($sql)){
    echo '<br/><br/><br/><br/>' . "
";
    echo '<div class="row">' . "
";
    echo '  <div class="large-12 columns">' . "
"; 
    echo '      <div data-alert class="alert-box alert">' . "
";
    echo '          There was an error' . "
";
    echo '          <a href="../site/upload.php" class="close">&times;</a>' . "
";
    echo '      </div>' . "
";
    echo '  </div>' . "
";
    echo '</div>' . "
";
    echo '<br/><br/><br/><br/>' . "
";
    echo '<div class="row">' . "
";
    echo '  <div class="large-12 columns">' . "
";
    die('There was an error with the code [' . $mysqli->error . ']');
    echo '  </div>' . "
";
    echo '</div>' . "
";

}
    echo '<br/><br/><br/><br/>' . "
";
    echo '<div class="row">' . "
";
    echo '  <div class="large-12 columns">' . "
"; 
    echo '      <div data-alert class="alert-box success">' . "
";
    echo '          Code Successfully Added' . "
";
    echo '          <a href="../site/" class="close">&times;</a>' . "
";
    echo '      </div>' . "
";
    echo '  </div>' . "
";
    echo '</div>' . "
";
    echo '<br/><br/><br/><br/>' . "
";
*/

?>

*EDIT* Here is what I have so far but it doesn't seem to be returning any records any ideas why?

 $q = $_GET['q'];

$DB_NAME = 'code_storage';
$DB_HOST = 'localhost';
$DB_USER = 'user';
$DB_PASS = 'pass';


$dsn = "mysql:host=$DB_HOST;dbname=$DB_NAME";
$db = new PDO($dsn, $DB_USER, $DB_PASS);

$query = "SELECT * FROM `SNIPPETS` WHERE `CODE_NAME` LIKE :name OR `CODE_DESC` LIKE :name OR `CODE_TAGS` LIKE :name OR `CODE_USAGE` LIKE :name";
$prep = $db->prepare($query);
$prep->execute(array(":name" => "%" . $q . "%"));

echo '<div class="row">';
    echo    '<div class="panel">';
       printf("Your search for <b>$q</b> returned %d records.
", $prep->rowCount());
    echo    '</div>';
echo '</div>';

while ($row = $prep->fetch()) {
    echo '   <div class="row">' . "
";
    echo '       <div class="large-12 columns">' . "
";

    echo             $row['CODE_NAME'] . '<br/><br/>' . "
";
    echo             $row['CODE_DESC'] . '<br/><br/>' . "
";
    echo             $row['CODE_USAGE']. '<br/><br/>' . "
";
    echo '       </div>' . "
";
    echo '   </div>' . '<br/><br/>' . "
"; 


}

$db = null;

I have found out that I am getting this error

Connection failed: SQLSTATE[HY093]: Invalid parameter number: number of bound    variables does not match number of tokens

</div>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongmei1911 2013-06-05 17:14
关注
Unfortunately, some versions of PDO don't know how to use a named parameter multiple times in the same query. If I recall, this bug is fixed in newer versions, but you may be stuck using an older version of PHP with PDO.

One workaround is this:

$query = "SELECT * FROM `SNIPPETS` WHERE `CODE_NAME` LIKE :name1 OR `CODE_DESC` LIKE :name2 OR `CODE_TAGS` LIKE :name3 OR `CODE_USAGE` LIKE :name4"; $prep = $db->prepare($query); $qpattern = "%" . $q . "%"; $prep->execute(array(":name1" => $qpattern, ":name2" => $qpattern, ":name3" => $qpattern, ":name4" => $qpattern));

Or else use positional parameters instead of named parameters:

$query = "SELECT * FROM `SNIPPETS` WHERE `CODE_NAME` LIKE ? OR `CODE_DESC` LIKE ? OR `CODE_TAGS` LIKE ? OR `CODE_USAGE` LIKE ?"; $prep = $db->prepare($query); $qpattern = "%" . $q . "%"; $prep->execute(array_fill(0, 4, $qpattern));

PS: Not related to your question about using prepared statements, but your use of '%pattern%' for full-text search is thousands of times slower than using any fulltext index solution.

Another good habit is to check for errors after every call to PDO::prepare() or PDOStatement::execute(). Either enable exception mode, or else check the return values for false:

if (($prep = $db->prepare(...)) === false) { // check $db->errorInfo() for details } if ($prep->execute(...) === false) { // check $prep->errorInfo() for details }

Checking for errors is also a best practice for the old mysql API, and the mysqli API.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

将SQL转换为PDO以防止SQL注入[重复] mysql php
2013-06-04 22:51

回答 1 已采纳 Unfortunately, some versions of PDO don't know how to use a named parameter multiple times in the
PDO错误sql状态42000 [重复] mysql php sql
2013-12-05 14:36

回答 1 已采纳 You should use backtick(`) symbol to enclose every column name since it may contain the mysql key
sql pdo选择菜单值$ _POST php sql
2017-04-23 16:50

回答 1 已采纳 You can add check for that : $sql = "SELECT DISTINCT * FROM Library"; if( (isset($_POST['titel']
大数据技术之数据安全与网络安全——CMS靶场(文章管理系统)实训
2023-11-25 00:25

星川皆无恙的博客数据与网络安全作为保障大数据系统正常运行的基石，同样备受关注。今天写博客时候发现自己很久没更新数据安全与网络安全方面的内容了，于是花了点时间写一篇CMS靶场实训博客。本文通过CMS靶场实训，深入分析CMS系统...
尝试将mysql select语句转换为PDO mysql php sql
2014-03-28 00:56

回答 1 已采纳 Warning: PDOStatement::bindValue() expects at least 2 parameters, 1 given in $searchEmail->b
如何将mySQL转换为PDO mysql php
2016-03-20 14:44

回答 2 已采纳 In your original MySQL_ query you have: $addGenAnnQuery = " INSERT INTO generalannounceme
PHP-试图将Mysqli转换为PDO php
2016-12-22 15:39

回答 4 已采纳 That's a horrifically awful way to select data from a database. It's far more complex than is nece
SQL入门及性能优化
2018-05-14 15:39

有时需要偏执狂的博客 SQL入门性能优化
将MYSQL_转换为PDO错误 php
2017-01-26 22:16

回答 2 已采纳 Take a look at this line: $userkey = $_GET['api']; And this line: ':userKey' => $userKey,
我如何将mysql脚本转换为mysqli或pdo？ [重复] mysql php sql
2015-07-10 04:16

回答 1 已采纳 First of all avoid using mysql_* these functions are deprecated, Your code is vulnrable to SQL Inj
将PHP示例代码从mysqli转换为PDO html5 mysql php
2017-08-30 15:47

回答 1 已采纳 This is how you would do this query in PDO database connection: $host = 'localhost'; $db = '';
PHP中PDO扩展库总结
2017-06-13 00:13

Json____的博客一.PDO作用 1.PDO(php data object)扩展类库为php访问数据库定义了轻量级的，一致性的接口 2.PDO提供了一个数据库访问抽象层，无论你使用了什么样的数据库，都可以通过一致的函数执行查询和获取数据，大大简化了...
关于sql选择和print_r数组的问题[重复] mysql php sql
2019-06-22 09:01

回答 1 已采纳 An example, your screenshot is not so good so I suppose you have colums titre, nom et auteur dans
资深架构师讲述：MySQL性能优化的21个最佳实践PDF篇含面试题答案
2022-03-31 13:14

90后小伙追梦之路的博客数据库今天，数据库的操作越来越成为整个应用的性能瓶颈了，这点对于Web应用尤其明显。...1.为查询缓存优化你的查询大多数的MySQL服务器都开启了查询缓存。这是提高性最有效的方法之一，而且这是...
DVWA全级别详细通关教程
2022-07-05 00:24

隐身的菜鸟的博客 dvwa全级别详细通关教程，暴力破解，命令注入，CSRF跨站请求伪造，文件包含，文件上传，SQL注入，XSS
sap采购组织和采购组_捏事件采购
2020-08-31 15:00

culi4814的博客这是关于将每个事件(您可以将其视为应用程序数据中的每个更改)捕获为一个独立的，可重复的事情。这是关于将这些事件按发生的相同时间顺序进行存储，以便我们随时随地到达任何时间点。 It’s about understanding ...
PHP之mysql面试题大全(58持续更新中)
2023-09-26 15:20

PHP隔壁老王邻居的博客五、mysql安全 1、sql注入是什么及如何预防sql注入？ 2、如何保护MySQL数据库的安全性？ 3、如何限制对MySQL数据库的访问？ 4、如何保护MySQL数据库中的敏感数据？一、mysql索引知识点 1、什么是索引排好序的...
最新PHP 面试、笔试题汇总(code happy)
2019-06-28 19:27

想出家的霸天虎的博客用户先进入排队队列，先进先出，判断是否已经在抢购结果队列，如果在，则直接下一个，如果不在，将用户信息加入抢购结果队列，库存-1，等待数据库空闲时，将抢购结果写入数据库前端：面对高并发的抢购活动，...
关于yii framework
2012-07-17 10:41

lyl198659的博客同时，也应注意与第三方库的冲突，可考虑对每个函数前加上自己的前缀，已做区分，例如框架核心均已C为前缀。 /** * This is the shortcut to DIRECTORY_SEPARATOR */ defined('DS') or define('DS',...
LINUX运维知识点总结(容器；云计算)
2023-04-24 15:34

赵唯一的博客 TTL指的是数据生命周期作用：避免数据在网络中无限循环转发原理：当网络中的数据包每经过一个路由器TTL值减1，当TTL值为0时，数据包丢弃。
没有解决我的问题, 去提问

悬赏问题

¥15 js调用html页面需要隐藏某个按钮
¥15 ads仿真结果在圆图上是怎么读数的
¥20 Cotex M3的调试和程序执行方式是什么样的？
¥15 一道python难题3
¥15 牛顿斯科特系数表表示
¥15 arduino 步进电机
¥20 程序进入HardFault_Handler
¥15 oracle集群安装出bug
¥15 关于#python#的问题：自动化测试
¥20 问题请教！vue项目关于Nginx配置nonce安全策略的问题

将SQL转换为PDO以防止SQL注入[重复]

1条回答 默认 最新

悬赏问题

1条回答默认最新