dtkvlj5386 2013-10-07 11:29
浏览 32

通过yii中的sql注入更新安全性

Could you please tell if these 2 fragments of code secure in yii. Fragent 1:

 $numberOfRows = $this->updateAll(array('full_path' => $target, 'title' => $name,                'machine_name' => $name), 'full_path = :path', array(':path' => $path));

Should I escape $target and $name in this query?

Fragment 2:

$sql = "UPDATE folders";
$sql .= " SET full_path = CONCAT('" . $target . "',SUBSTR(full_path, " . (strlen($path)  + 1) . ", LENGTH(full_path)-1))";
$sql .= " WHERE full_path LIKE '" . $path . "%'";
$command = $this->dbConnection->createCommand($sql);
$command->execute();

Should I escape $target and full_path here using CDbConnection::quoteValue() or something like this in these 2 fragments? I also one how to escape path in the Fragment 2 to avoid issues with special symbols used with LIKE (%, _).

I made changes to fragment 2 using binds and escaping %_:

$sql = "UPDATE folders";
$sql .= " SET full_path = CONCAT(:target, SUBSTR(full_path, " . (strlen($path) + 1) . ", LENGTH(full_path)-1))";
$sql .= " WHERE full_path LIKE  :pathFilter";
$command = $this->dbConnection->createCommand($sql);

//escape %_ that can be used in SQL LIKE expression
$pathFilter = addcslashes($path, '%_') . '%';

$command->bindParam(":pathFilter", $pathFilter, PDO::PARAM_STR);
$command->bindParam(":target", $target, PDO::PARAM_STR);

$command->execute();

Is it correct? Is there a more elegent way to do it?

  • 写回答

2条回答 默认 最新

  • douba1214 2013-10-07 14:05
    关注

    Speaking of more elegant ways, you can always avoid named parameters, which will dramatically shorten your code:

    $sql  = "UPDATE folders SET";
    $sql .= " full_path = CONCAT(?, SUBSTR(full_path, ?, LENGTH(full_path)-1))";
    $sql .= " WHERE full_path LIKE ?";
    
    //escape %,_ and \ that can be used in SQL LIKE expression
    $pathFilter = addcslashes($path, '\%_') . '%'; // I've added a slash here
    
    $command = $this->dbConnection->createCommand($sql);
    $command->execute([$target, strlen($path) + 1, $pathFilter]);
    
    评论

报告相同问题?

悬赏问题

  • ¥15 python天天向上类似问题,但没有清零
  • ¥30 3天&7天&&15天&销量如何统计同一行
  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 C#调用python代码(python带有库)
  • ¥15 矩阵加法的规则是两个矩阵中对应位置的数的绝对值进行加和
  • ¥15 活动选择题。最多可以参加几个项目?
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)