For WEB applications, SQL injection attack is undoubtedly the most important safety precautions, the underlying system for data security itself a lot of treatment and appropriate preventive mechanisms, such as:
$User = M("User"); // 实例化User对象$User->find($_GET["id"]);
Even if a malicious user id input parameters, the system will cast to integer, to avoid malicious injection. This is because the system would force the data type of the data detected, the data source and data format conversion. Also, for the string data type, ThinkPHP will be escape_string treatment (real_escape_string, mysql_escape_string), if you are using PDO mode, it also supports parameter binding.
The usual security risks that you use query string parameters, and then some of them are also dependent variable input by the user of the client.
To effectively prevent SQL injection problem, we recommend:
- Query to make use of an array of ways, this is a more secure way;
- If forced query string must be used, the use of preconditioning mechanisms;
- With automatic validation and filtering mechanisms for automatically customize the application;
- If circumstances permit, to make use of PDO mode, and use parameter binding.
Query preprocessing
Method string where when conditions pretreated support (security filter), and supports two ways passed preprocessing parameters, for example:
$Model->where("id=%d and username='%s' and xx='%f'",array($id,$username,$xx))->select();// 或者$Model->where("id=%d and username='%s' and xx='%f'",$id,$username,$xx)->select();
The model also supports query and execute methods pretreatment mechanism, for example:
$model->query('select * from user where id=%d and status=%d',$id,$status);//或者$model->query('select * from user where id=%d and status=%d',array($id,$status));
Use the same method execute query method.