问题
I understand that using PDO makes SQL injections virtually impossible. However, I don't have time at the moment to change all the database related code in our website. (Especially since I'm new at PDO, there's some learning curve involved). So I want to know what mysql/php functions will give the same security that PDO does.
Will these two points be enough?
- Making sure all $_GET and $_POST data are of the type expected (such as product ids should only be numerical, so I could use
is_numeric). - Using
mysql_real_escape_string.
Or is there anything else I should do? The way the website is, is that based on id=x in the query string, things might go to the database. And what I saw after the hack was that in the database, all things that can go to the database through query strings had been compromised with values like cd etc/pwd.
回答1:
The short version: move from the mysql extension to the mysqli extension, and replace your queries that take parameters to prepared statements (here is a quickstart guide).
But in the long run, learning right now PDO won't take that long and it is worth the effort.
As a side note:
I understand that using PDO makes SQL injections virtually impossible.
That is not true, it is possible to write an injectable query in PDO. This code in PDO is as bad as it is in the old mysql extension (two vulnerabilities vector for the price of one here !):
$pdo_obj->query("SELECT password FROM users WHERE id = '".$_GET['id']."'");
PDO only provide the tools to protect yourself and make them easy to use. You always, always have to take care of validating and filtering the input yourself. But with prepared statement, you can at least let the database know what is supposed to be a parameter, and what is supposed to be a part of the query.
来源:https://stackoverflow.com/questions/16634120/mysql-and-php-fixes-to-replicate-pdo-security