PDO support for multiple queries (PDO_MYSQL, PDO_MYSQLND)

后端 未结 7 2299
长发绾君心
长发绾君心 2020-11-21 06:03

I do know that PDO does not support multiple queries getting executed in one statement. I\'ve been Googleing and found few posts talking about PDO_MYSQL and PDO_MYSQLND.

7条回答
  •  挽巷
    挽巷 (楼主)
    2020-11-21 06:43

    Tried following code

     $db = new PDO("mysql:host={$dbhost};dbname={$dbname};charset=utf8", $dbuser, $dbpass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
    

    Then

     try {
     $db->query('SET NAMES gbk');
     $stmt = $db->prepare('SELECT * FROM 2_1_paidused WHERE NumberRenamed = ? LIMIT 1');
     $stmt->execute(array("\xbf\x27 OR 1=1 /*"));
     }
     catch (PDOException $e){
     echo "DataBase Errorz: " .$e->getMessage() .'
    '; } catch (Exception $e) { echo "General Errorz: ".$e->getMessage() .'
    '; }

    And got

    DataBase Errorz: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*' LIMIT 1' at line 1
    

    If added $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); after $db = ...

    Then got blank page

    If instead SELECT tried DELETE, then in both cases got error like

     DataBase Errorz: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '* FROM 2_1_paidused WHERE NumberRenamed = '¿\' OR 1=1 /*' LIMIT 1' at line 1
    

    So my conclusion that no injection possible...

提交回复
热议问题