你如何在这个 PHP/PDO 中停止注入

Question

所以我看了这么多帖子、网站和视频，现在我很困惑！我似乎无法正确处理。 你如何在这个 PHP/PDO 中停止注入。我有这段代码有效，但它允许注入。

//*THIS WORKS BUT ALLOWS INJECTION
//*

//The variable $word comes from another php file where the search is created.
public function getAllCards($word) {

    $sql = "SELECT * FROM carddbtable WHERE businessNameDB='".$word."'";

foreach ($this->conn->query($sql) as $row) {

    echo json_encode($row)."<br>"."<br>";
}

$db = null;
}

使用这个新代码，我试图从“SELECT * FROM”语句中删除变量“$word” 停止注入并添加“准备”和错误检查以及“执行”语句，但我无法正确处理。我该怎么做？仅供参考，这是一个 GoDaddy 共享服务器。

//Getting the search "word" from the GetCards.php
 public function getAllCards($word) {

    //Empty var to store all returned info from db
    $returnArray = array();


    // sql statement to be executed 
    $sql = "SELECT * FROM carddbtable WHERE businessNameDB=':word";

    // prepare to be executed 
    $statement = $this->conn->prepare($sql);


    // error occurred
    if (!$statement) {
        throw new Exception($statement->error);
    }


    // execute statement
    $statement->execute( :word => '$word' );


//run the query
foreach ($this->conn->query($statement) as $row) {

echo json_encode($row)."<br>"."<br>";

}

    // store all appended $rows in $returnArray to be sent to app
    $returnArray[] = $row;   
} 

Answer 1

你几乎得到它。与许多数据库驱动程序一样，PDO 将负责所有的转义，因此请让占位符尽可能简单：

$sql = "SELECT * FROM carddbtable WHERE businessNameDB=:word";

那里不需要'。

现在，当您execute() 一个 PDO 语句时，您会得到一个需要捕获到变量中的结果：

$res = $statement->execute([ 'word' => $word ]);

正如 Ibu 和 chris85 指出的那样，'$word' 部分也是不正确的。避免引用单个变量，这不仅没有意义，而且会引起麻烦，就像这里你绑定到字面上的 dollar-sign word，而不是有问题的值。这对于"$word" 来说是双倍的。

然后你从中获取。现在你在声明中调用query()，这是不正确的。

要注意的另一件事是改掉制作像$sql 这样的一次性变量的习惯，因为这些只是垃圾。而是直接传递参数：

$statement = $this->conn->prepare("SELECT * FROM carddbtable WHERE businessNameDB=:word");

这样可以避免在处理这些事情时不小心将$sql3 与$sql8 混淆。

Answer 2

这就是我现在所拥有的。

  //Getting the search "word" from the GetCards.php
 public function getAllCards($word) {

    //Empty var to store all returned info from db
    $returnArray = array();


    //  prepare to be executed sql statement to be executed if not entered word
    $statement = $this->conn->prepare("SELECT * FROM carddbtable WHERE businessNameDB=:word");



    // error occurred
//        if (!$statement) {
//           throw new Exception($statement->error);

//        }


    // execute statement
    $res = $statement->execute([ 'word' => $word ]);


//run the query
foreach ($this->conn->query($res) as $row) {

echo json_encode($row)."<br>"."<br>";

}

    // store all appended $rows in $returnArray to be sent to app
    $returnArray[] = $row;   

} 

Answer 3

我搞定了

//*FUNCTION TO GET CARD FROM SEARCH WORD CALLED FROM GetCards.php   
public function getAllCards($word) {

//Connect to db using the PDO not PHP
$db = new PDO('mysql:host=localhost;dbname=xxxx', 'xxxx', 'xxxx');

//Here we prepare the SELECT statement from the search word place holder :word
$sql = $db->prepare('SELECT * FROM carddbtable WHERE businessNameDB=:word');

//We execute the $sql with the search word variable"$word"
$sql->execute([':word' => $word]);

//Looping through the results
foreach ($sql as $row)

//Print to screen
echo json_encode($row). "<br>"."<br>";
}