1

我有一个页面,它将不同的参数附加到用于查询的 URL。

例如

http://www.example.com/search.php?category=Schools&country[]=Belgium&country[]=Czech+Republic

我的代码是这样的

if(isset($_GET['country'])){
$cties = "'" . implode("','", $_GET['country']) . "'";
}
else {
$cties = "'Albania','Andorra','Austria','Belarus','Belgium','Bosnia & Herzegovina','Bulgaria','Croatia','Czech Republic','Denmark','Estonia','Faroe Islands','Finland','France','Germany','Gibraltar','Great Britain','Greece','Hungary','Iceland','Ireland','Isle of Man','Italy','Latvia','Liechtenstein','Lithuania','Luxembourg','Macedonia','Malta','Moldova','Monaco','Montenegro','Netherlands','Norway','Poland','Portugal','Serbia','Romania','San Marino','Slovakia','Slovenia','Spain','Sweden','Switzerland','Ukraine','United Kingdom'";           
}
if(isset($_GET['category'])){
$cat = $_GET['category'];
}
else{
$cat = " ";
}

try{
// create the Prepared Statement

$stmt = $con->prepare("SELECT * FROM MyTable 
WHERE MyDate >= DATE(NOW()) 
AND (Category=:cat or '' = :cat) 
AND Country IN ($cties)
ORDER BY MyDate ASC");
$stmt->bindValue(':cat', $cat, PDO::PARAM_STR);
$stmt->execute();

我想知道这个查询是否安全,如果不安全,我做错了什么。提前致谢!

我终于明白了(感谢你的常识):

if(isset($_GET['country'])){
$arr = $_GET['country']; 
}
else {          
$arr = array('Albania','Andorra','Austria','Belarus','Belgium','Bosnia & Herzegovina','Bulgaria','Croatia','Czech Republic','Denmark','Estonia','Faroe Islands','Finland','France','Germany','Gibraltar','Great Britain','Greece','Hungary','Iceland','Ireland','Isle of Man','Italy','Latvia','Liechtenstein','Lithuania','Luxembourg','Macedonia','Malta','Moldova','Monaco','Montenegro','Netherlands','Norway','Poland','Portugal','Serbia','Romania','San Marino','Slovakia','Slovenia','Spain','Sweden','Switzerland','Ukraine','United Kingdom');
}
if(isset($_GET['category'])){
$cat = $_GET['category'];
}
else{
$cat = " ";
}
// create the Prepared Statement
$in  = str_repeat('?,', count($arr) - 1) . '?';

$sql = "SELECT * FROM MyTable WHERE MyDate >= DATE(NOW()) 
    AND Country IN ($in)
    AND (Category=? or '' = ?) 
    ORDER BY MyDate ASC";
$stmt  = $con->prepare($sql);
$arr[] = $cat;  // adding category to array
$arr[] = $cat;  // we need it twice here
// finally - execute
$stmt->execute($arr);
4

2 回答 2

2

是的,现在我看到了你的问题。好吧,PDO 对于这样的任务来说不是太方便的库。因此,首先我将向您展示如何使用我自己的库来完成它:

$sql = "SELECT * FROM MyTable WHERE MyDate >= CURDATE() 
          AND (Category=?s or '' = ?s) 
          AND Country IN (?a)
          ORDER BY MyDate ASC"
$data = $db->getAll($sql, $cat, $cat, $_GET['country']);

但我很清楚你们都那么倾向于熟悉的方法。好吧,让我们用丑陋的PDO详细说明

首先,目标是什么?目标是

  1. 创建包含所有数据的占位符的查询。我会坚持使用位置占位符,因为它们更容易实现。
  2. 创建一个包含所有必须绑定到占位符的变量的数组

看来我们需要两个占位符来表示类别和一些来自城市的未知数字。好吧,这一行将创建一个占位符字符串:

$in   = str_repeat('?,', count($arr) - 1) . '?';

我们将要插入到查询中。

// $arr is array with all the vars to bind. at the moment it contains cities only
$arr = $_GET['country']; 
// creating string of ?s
$in  = str_repeat('?,', count($arr) - 1) . '?';
// building query
$sql = "SELECT * FROM MyTable WHERE MyDate >= DATE(NOW()) 
              AND Country IN ($in)
              AND (Category=? or '' = ?) 
              ORDER BY MyDate ASC";
$stm  = $db->prepare($sql);
$arr[] = $_GET['category'];  // adding category to array
$arr[] = $_GET['category'];  // we need it twice here
// finally - execute
$stm->execute($arr);
$data = $stm->fetchAll();
于 2013-11-02T22:08:48.910 回答
0

不,可以在$_GET['country']参数中注入 SQL 代码。你不会在任何地方逃脱它。

请参阅PHP PDO:我可以将数组绑定到 IN() 条件吗?

于 2013-11-02T19:33:03.683 回答