Kno*_*ing 27 sql-injection magento
我正在使用Magento的功能来插入和更新查询.我的要求是在进行这些类型的查询时我想要处理SQL注入.但我无法找到Magento是如何做到这一点的.我正在提供一个开始样本.请给我一个完整的例子.
<?php
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
$sql = "INSERT INTO Mage_Example (Name, Email, Company, Description, Status, Date)
VALUES ('$name', '$email', '$company', '$desc', '0', NOW())";
?>
现在我想更改上面的查询以防止可能的SQL注入.我不想使用mysql_real_escape_string()PHP 的默认" "内置函数.任何人都可以使用" $write"DB Handler 为我提供一个有用的解决方案.
任何帮助是极大的赞赏.
Jos*_*tey 60
好的,稍微研究过这个.如果您可以获得DB_Adapter的实例(我相信资源调用将返回),这应该不会太难.在内部深处,Magento基于Zend Framework,而DB适配器特别是Zend_Db_Adapter的后代,因此您可以免费使用这些方法.有关更多示例,请参阅之前的链接,但这里是文档中提供的语法,它应该自动转义输入:
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
// Concatenated with . for readability
$query = "insert into mage_example "
. "(name, email, company, description, status, date) values "
. "(:name, :email, :company, :desc, 0, NOW())";
$binds = array(
'name' => "name' or 1=1",
'email' => "email",
'company' => "company",
'desc' => "desc",
);
$write->query($query, $binds);
再次,请参阅文档以获取更多信息.
更新:
I've changed the example above. The object that you get back with your core_write request is a PDO object that exposes a query method (see above) that will let you used parameterized queries. This is BY FAR a better approach than attempting to use something like mysql_real_escape_string for data sanitization, and I've tested the above code for correctness. Note that, in contrast to most MySQL parameterized queries, the binding is done with :labels, and also that you need no quotes for your vars.
为了回应您的另一点,并且如下所述,在Magento中执行此操作的"正确"方法是根本不使用直接查询.Magento对象模型很好地开发,旨在将这种实现细节抽象出来,因为您不需要关心它.要"正确"执行此操作,请创建一个新的基于数据库的模型并避免头痛.
小智 13
我用它来向表中插入多行
$table = Mage::getSingleton('core/resource')->getTableName('table_name');
$rows = array(
array('cal_1'=>'value','cal_2'=>'value','cal_3'=>'value'),
array('cal_1'=>'value','cal_2'=>'value','cal_3'=>'value')
);
public function insertRows($table,$rows)
{
$write = Mage::getSingleton('core/resource')->getConnection('core_write');
$write->insertMultiple($table,$rows);
}
| 归档时间: |
|
| 查看次数: |
46566 次 |
| 最近记录: |