dsm13698679318
2012-07-04 17:04
浏览 34
已采纳

PDO和CodeIgniter - 它安全吗?

I dont have any previous experience with PDO, so my question may sound too simple.
I heard few times that PDO is better than mysql/mysqli in terms of security ,and since Codeigniter is supporting PDO driver, I decided to make the change in my new project.

but as I'm aware of Codeingiter doesn't use prepared statements, and (I think) it missed the point of using PDO, is that correct, and is it insecure?
So my question: is using PDO driver with codeigniter considered insecure?
And, does that mean I must take care of the basic security by myself?

图片转代码服务由CSDN问答提供 功能建议

我以前没有任何PDO经验,所以我的问题可能听起来太简单了。
我听到的很少 在安全性方面PDO优于mysql / mysqli的时间,并且由于Codeigniter支持PDO驱动程序,我决定在我的新项目中进行更改。

但是我知道Codeingiter不使用预处理语句,并且(我认为)它错过了使用PDO的点,这是正确的,是不安全的?
所以我的问题:使用PDO驱动程序并将codeigniter视为不安全?
,这是否意味着我必须自己处理基本安全问题?

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dtntjwkl83750 2012-07-05 06:58
    已采纳

    All query calls are escaped in the simplified $this->db functions, such as delete() and get_where(). This adds some automated security.

    If written too slobby, you may grant access to users to edit other users content for instance. So there's no magical solution to full security. The more detailed you are, the more correct your code will work for you.

    If you need custom queries, you can do like this:

    $int_user_id = 1;
    
    $this->db->query("
    SELECT *
    FROM users
    WHERE id = ?
    ", array($int_user_id));
    

    Note: To implement IN () and LIKE, you need to escape accordingly, and not insert through array() and ?.

    query()
    escape()

    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • dongyan7950 2012-07-04 17:09

    From what I know (CodeIgniter newbie ;)) it takes care of security pretty well with ActiveRecords. I don't know if it's using PDO or not, but it's pretty darn easy to use, queries look really clean, and it has query caching.

    评论
    解决 无用
    打赏 举报
  • doujingjiao0015 2012-07-14 09:50
     1. Database Support
    

    The core advantage of PDO over MySQL is in its database driver support. PDO supports many different drivers like CUBRID, MS SQL Server, Firebird/Interbase, IBM, MySQL, and so on.

     2. Security
    

    Both libraries provide SQL injection security, as long as the developer uses them the way they were intended. It is recommended that prepared statements are used with bound queries.

     3. Speed
    

    While both PDO and MySQL are quite fast, MySQL performs insignificantly faster in benchmarks – ~2.5% for non-prepared statements, and ~6.5% for prepared ones.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题