I am new to the CodeIgniter framework for php and was looking at the PDO database driver with Version 2.1.0. I noticed it uses the PDO 'query' function and not 'prepare' and 'bindParam'/'bindValue'.
Doesn't this completely miss the point of using PDO in the first place and in fact make it less protected from sql injection than using the normal mysql driver they provide. It doesn't seem to be escaping queries like it does with the other provided drivers? Or am I completely misinterpreting something?
编辑:看起来CodeIgniter可能实际上使用PDO :: quote来清理。但是即使php文档说这不推荐,因为它不太安全,似乎错过了PDO的第一位。
It looks as if CodeIgniter may in fact be using PDO::quote to sanitize. But even the php documentation says this is not recommended as it is less secure and seemed to miss the point of PDO in the first place
I dunno CI但是有一个简单的规则要记住:
I dunno CI but there is a simple rule to remember:
As a matter of fact, it should be always escaping+quoting.
If we don't quote escaped data, we get no good from escaping.
如果是这样 - 应该是安全的。
So, I suppose that CI does both.If so - it should be safe.
The only consequence I can think of is LIMIT parameters.If you pass them as variables of string type, CI query might throw an error, like PDO in compatibility mode does. I'd be grateful if you test this behavior and post the result.
这篇关于CodeIgniter PDO驱动程序使用查询而不是准备?这不是不安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!