Предотвращает ли pg_prepare () оператор (не PDO) SQL-инъекцию?
PDO ist not supported in target system I'm working on и хотя я ищу решение для предотвращения использования SQL-инъекцийPHP 5.1.x наPostGres-DB 8.2+, Есть на данный моментno вероятность перехода на PDO.
Мое решение на данный момент - подготовленное pg_prepare утверждение:
// Trying to prevent SQL-Injection
$query = 'SELECT * FROM user WHERE login=$1 and password=md5($2)';
$result = pg_prepare($dbconn, "", $query);
$result = pg_execute($dbconn, "", array($_POST["user"], $_POST["password"]));
if (pg_num_rows($result) < 1) {
die ("failure");
}
But pg_prepare-documentation lacks about an important information:
it tells about "later usage"
pg_prepare() creates a prepared statement for later execution with pg_execute() or pg_send_execute().[...]
it tells about "named/anonymous statements"
The function creates a prepared statement named stmtname from the query string, which must contain a single SQL command. stmtname may be "" to create an unnamed statement, in which case any pre-existing unnamed statement is automatically replaced;[...]
it tells about "typecasting"
Prepared statements for use with pg_prepare() can also be created by executing SQL PREPARE statements. (But pg_prepare() is more flexible since it does not require parameter types to be pre-specified.) Also, although there is no PHP function for deleting a prepared statement, the SQL DEALLOCATE statement can be used for that purpose.
but it does not tell, if this implementation of prepared statements is safe from SQL-injection
* Почти все комментарии по этому секретному вопросу относятся к PDO-решению, где в документации замечено, что драйвер предотвращает SQL-инъекцию. Но если простым решением может быть pg_prepare, я бы сейчас использовал pg_prepare. *
Спасибо за эту важную информацию, возможно, лучшее практическое решение.
EDIT (after marked as solution): Спасибо за очень поучительные ответы!
I marked the solution of Frank Heikens as best answer, cause it explains an important point in SQL-injection. A programmer may use prepared statemtents, but the SQL-injection-lack may still be there by mistake! Aside from Frank Heikens answer, hoppa shows that the SQL-injection is prevented using pg_prepare/pg_query_params. Thanks though. Will now use an optimized code withpg_query_params
(thanks to Milen A. Radev)
And pg_escape_string()
as alternative when it comes to it (thanks to halfer)
Все ответы услужливы :)
// Trying to prevent SQL-Injection (**updated**)
$sql_query = 'SELECT * FROM user WHERE login=$1 and password=md5($2);';
$result = pg_query_params($dbconn_login, $sql_query, array($_POST["user"], $_POST["password"]));
if (pg_num_rows($result) < 1) {
die('failure');
}