1,014   Laravel MySQL PHP

Laravel5 通过 Eloquent ORM 来关联数据库,它会使用 PDO parameter binding 来防止 SQL 注入

比如根据用户名搜索

select * from users where name = ? 

假如输出是 ‘test’ or 1=1,那么SQL变成

select * from users where name = 'test' or 1=1

这会造成SQL注入,但是通过 PDO parameter binding  ,则会变成这样

select * from users where name = 'test or 1=1'

这因为 PDO parameter binding 会把一些特殊命令字符过滤掉。

 

以上是Laravel5 防范SQL注入的方法啦。

 

官网解释

Note: The Laravel query builder uses PDO parameter binding to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.




One Response

Leave a Reply

Your email address will not be published. Required fields are marked *