doujing1858 2012-02-23 02:31
浏览 52
已采纳

准备好的陈述和$ _GET(任何安全问题?)[重复]

Possible Duplicate:
How prepared statements can protect from SQL injection attacks?

If I'm using $_GET with PDO do I still need to escape it? My understanding is that this is immune to SQL injection, however I still feel uneasy about not escaping it. So could someone please look at this little block of code and tell me if it is secure?

<?php
$hostname = 'localhost';
$username = 'root';
$password = 'root';
$database = 'database';
try {
    $dbh = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $stmt = $dbh->prepare("SELECT * FROM comments WHERE pid = :pid");
    $pid = $_GET['pid'];
    $stmt->bindParam(':pid', $pid, PDO::PARAM_STR);
    $stmt->execute();
    $result = $stmt->fetchAll();
    }
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
    $stmt->execute();
    echo $stmt->rowCount();
$dbh = null;
?>

Again, it's the $_GET I'm concerned about. Any help is appreciated, thank you.

  • 写回答

1条回答 默认 最新

  • dongling4288 2012-02-23 03:04
    关注

    Yes, the prepared statement feature does what it says. But since you asked, let's be clear that it's not the end of the story. I'm looking at the OWASP Top Ten Application Security Risks 2010.

    For example:

    • Is every remote user authorized to access data associated with every PID? If not, failing to check that the user is authorized is a clear example of OWASP 2010-A4-Insecure Direct Object References.
    • You're probably not serious about hardcoding the password in cleartext, because that is a clear example of OWASP 2010-A7-Insecure Cryptographic Storage.
    • You don't say what you might do with $stmt apart from echoing the rowcount, but of course if you display any content from the database you'll be careful to escape HTML entities first. Otherwise you would create a clear example of OWASP 2010-A2-Cross-Site Scripting (XSS).
    • By the way, it's generally better to specify columns (or aggregate functions) explicitly rather than to "SELECT *".
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 爬虫爬取网站的一些信息
  • ¥15 关于vue2中methods使用call修改this指向的问题
  • ¥15 idea自动补全键位冲突
  • ¥15 请教一下写代码,代码好难
  • ¥15 iis10中如何阻止别人网站重定向到我的网站
  • ¥15 滑块验证码移动速度不一致问题
  • ¥15 Utunbu中vscode下cern root工作台中写的程序root的头文件无法包含
  • ¥15 麒麟V10桌面版SP1如何配置bonding
  • ¥15 Marscode IDE 如何预览新建的 HTML 文件
  • ¥15 K8S部署二进制集群过程中calico一直报错