Shulou(Shulou.com)06/01 Report--

Preface

In this paper, the preprocessing method of pdo can avoid sql injection. I won't say much. Let's take a look at the detailed introduction.

The instructions under 'PDO-- preprocessing statements and stored procedures' in the php manual:

Many more mature databases support the concept of preprocessing statements. What is a preprocessing statement? Think of it as a compiled template of the SQL you want to run, which can be customized with variable parameters. Preprocessing statements can bring two major benefits: queries only need to be parsed (or preprocessed) once, but can be executed multiple times with the same or different parameters. When the query is ready, the database analyzes, compiles, and optimizes the plan to execute the query. For complex queries, this process takes a long time, and if you need to repeat the same query multiple times with different parameters, it will greatly slow down the application. By using preprocessing statements, repetitive analysis / compilation / optimization periods can be avoided. In short, preprocessing statements take up less resources and therefore run faster. The parameters provided to the preprocessing statement do not need to be enclosed in quotation marks and are automatically processed by the driver. If your application uses only preprocessing statements, you can ensure that SQL injection does not occur. However, if the rest of the query is built from unescaped input, there is still a risk of SQL injection. Preprocessing statements are so useful that their only feature is that PDO simulates processing when the driver does not support it. This ensures that the application can use the same data access mode regardless of whether the database has such functionality or not.

The above two benefits are explained below:

1. First of all, let's talk about the stored procedure of mysql. The feature of stored procedure is introduced into mysql5. When the stored procedure is created, the database has parsed and optimized it. Second, once the stored procedure is executed, a copy of the stored procedure is kept in memory so that the next time the same stored procedure is executed, it can be read directly from memory. The use of mysql stored procedures can be found in: https://www.jb51.net/article/7032.htm

For PDO, the principle is the same, except that PDO supports EMULATE_PREPARES (Analog preprocessing), which is driven locally by PDO. At the same time, it is possible to leave it to mysql without using local analog preprocessing. These two cases are described below.

two。 To prevent sql injection, I analyze it through the combination of tcpdump and wireshark to grab the packet.

Execute a piece of code on the virtual machine to initiate a request to the remote mysql:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.