【发布时间】:2017-01-31 04:07:50
【问题描述】:
我正在编写一个 API 类来查询数据。我在类中有一个函数,它使用 SELECT 语句来查询特定硬编码表名(即 eventLog)的数据。
下面列出了查询,其中:value 引用了传递给函数的参数:
// query
$sql = "SELECT :selectType
FROM `log` :clause
ORDER BY `:orderByColumn` :orderByClause
LIMIT :limitStart, :limitStep";
我正在尝试使用 PDO 语句来防止 SQL 注入。我已经阅读了一些关于如何正确编写 PDO 语句的有用文档,包括 bindValue / bindParam。
以下是完整的类文件:
<?php
// set requirements
require_once 'Database.php';
/* EventLogsAPI class
* This class is used to query data from the eventLog table, and handle other data processing
*/
class EventLogsAPI {
// set class member variables
private $connection; // database connection
private $records; // records from query
/* Constructor function
*/
public function __construct() {
// create DB object
$this->connection = new DBConnection();
}
/* Collect records function
* Get the records from this prep statement, and store them in $this->records
*
* @param object - database object
*/
public function collectRecords($prep) {
// clear records from previous query
$this->records = array();
// execute query
$prep->execute();
// for each record
while (false !== ($row = $prep->fetch(PDO::FETCH_ASSOC))) {
$this->records[] = $row;
}
}
/* getEventLogData function
* Get event log data with a optional (where) clause
*
* @param string - select state (*, distinct, etc...)
* @param string - conditional SQL clause (e.g. where ID = 2)
* @param string - order by column (e.g. user, ID, date, etc...)
* @param string - order by clause (e.g. asc, desc)
* @param integer - starting limit param (i.e. 0)
* @param integer - limit step param (i.e. 25)
* @param boolean - used to debug SQL
* @return JSON - json containing array of records
*/
public function getEventLogData($selectType, $clause, $orderByColumn, $orderByClause, $limitStart, $limitStep) {
// query
$sql = "SELECT :selectType
FROM `log` :clause
ORDER BY `:orderByColumn` :orderByClause
LIMIT :limitStart, :limitStep";
// prep the query
$prep = $this->connection->DB('log')->prepare($sql);
// for each function argument
foreach ($bind = func_get_args() as $key => $value) {
// prevent null values
if ($value == NULL) {
// set to empty strings
$bind[$key] = "";
}
// bind value
$prep->bindValue(":$bind[$key]", $bind[$key]);
// debug
echo ($key . " - " . $value . "\n");
}
// collect the records
$this->collectRecords($prep);
// return records
return json_encode($this->records);
}
}
?>
Chrome 控制台中返回的网络响应:
0 - *
1 -
2 - date
3 - DESC
4 - 0
5 - 20
<br />
<b>Warning</b>: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in <b>EventLogsAPI.class.php</b> on line <b>32</b><br />
[]
所以,基于这个执行,绑定的 SQL 查询应该是:
// query
$sql = "SELECT *
FROM `log`
ORDER BY `date` DESC
LIMIT 0, 20";
但是,我收到错误消息:Invalid parameter number: parameter was not defined。
我已经检查了以下内容:
- :parameter 名称与绑定值匹配
- 确保参数编号与查询中的 PDO 值匹配
- 绑定正确的值
- 确保没有空值
我知道还有其他几个关于此问题的问题,但我还没有找到解决此问题的方法。非常感谢任何有关调试的帮助。感谢您的阅读。
【问题讨论】:
-
请记住,尽管已准备好语句,但您的查询构建器很可能容易发生 SQL 注入。您可以查看我的文章以获取解决方案,An SQL injection against which prepared statements won't help