2012-07-04 17:04
浏览 34

PDO和CodeIgniter - 它安全吗?

I dont have any previous experience with PDO, so my question may sound too simple.
I heard few times that PDO is better than mysql/mysqli in terms of security ,and since Codeigniter is supporting PDO driver, I decided to make the change in my new project.

but as I'm aware of Codeingiter doesn't use prepared statements, and (I think) it missed the point of using PDO, is that correct, and is it insecure?
So my question: is using PDO driver with codeigniter considered insecure?
And, does that mean I must take care of the basic security by myself?

图片转代码服务由CSDN问答提供 功能建议

我听到的很少 在安全性方面PDO优于mysql / mysqli的时间,并且由于Codeigniter支持PDO驱动程序,我决定在我的新项目中进行更改。


  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dtntjwkl83750 2012-07-05 06:58

    All query calls are escaped in the simplified $this->db functions, such as delete() and get_where(). This adds some automated security.

    If written too slobby, you may grant access to users to edit other users content for instance. So there's no magical solution to full security. The more detailed you are, the more correct your code will work for you.

    If you need custom queries, you can do like this:

    $int_user_id = 1;
    SELECT *
    FROM users
    WHERE id = ?
    ", array($int_user_id));

    Note: To implement IN () and LIKE, you need to escape accordingly, and not insert through array() and ?.


    解决 无用
    打赏 举报
  • dongyan7950 2012-07-04 17:09

    From what I know (CodeIgniter newbie ;)) it takes care of security pretty well with ActiveRecords. I don't know if it's using PDO or not, but it's pretty darn easy to use, queries look really clean, and it has query caching.

    解决 无用
    打赏 举报
  • doujingjiao0015 2012-07-14 09:50
     1. Database Support

    The core advantage of PDO over MySQL is in its database driver support. PDO supports many different drivers like CUBRID, MS SQL Server, Firebird/Interbase, IBM, MySQL, and so on.

     2. Security

    Both libraries provide SQL injection security, as long as the developer uses them the way they were intended. It is recommended that prepared statements are used with bound queries.

     3. Speed

    While both PDO and MySQL are quite fast, MySQL performs insignificantly faster in benchmarks – ~2.5% for non-prepared statements, and ~6.5% for prepared ones.

    解决 无用
    打赏 举报

相关推荐 更多相似问题