Moving from mysql real escape to PDO to make it more robust?_问答_开发者

Moving from mysql real escape to PDO to make it more robust?

开发者 https://www.devze.com 2023-03-02 15:33 出处：网络

let\'s see a real example; the next code is what ive bene using so far and in ver ha da problem, but recently, due to Sony news etc, i feel i need ot learn more of this topic \"security.\"

let's see a real example; the next code is what ive bene using so far and in ver ha da problem, but recently, due to Sony news etc, i feel i need ot learn more of this topic "security."

so this is my code, these functions below are methods of a class but for time reason i can't show you everything

Connection to my DB

   function SQLinit($debug = 0)
   {
         $svr_msconnect = @mysql_connect($sql["db_host"], $sql["db_login"], $sql["db_pass"]);
         @mysql_select_db($sql["db_data"]);
         if (!$svr_msconnect)
         {
           echo mysql_error();
           exit;
         }
   }

function to call queries

   function DoQuery($sql, $assoc=0)
   {
        if (!$svr_msconnect) SQLinit();

        $result = mysql_query($sql, $svr_msconnect);

        if (mysql_errno())
        {
            //error alert....
            exit;
        }

        if ($result === TRUE) return array();        
        $res = array();

        if ($assoc)
            while ($row = mysql_fetch_assoc($result))
                array_push($res, $row);
        else
            while ($row = mysql_fetch_row($result)  ) 
                array_push($res, $row);

        return $res;
开发者_如何学JAVA   }

and then a real EXAMPLE of simple user authentication:

     if(isset($_GET["e"]) && isset($_GET["p"])){

         $e = $_GET["e"];
         $p = $_GET["p"];       

         SQLinit();

         $e = mysql_real_escape_string($e);
         $p = mysql_real_escape_string($p);
         $p = md5($p);

        $sql = "SELECT user_id,user_email,user_pass FROM user_tb where user_email='$e' AND user_pass= '$p' ";
        $result = DoQuery($sql,1);
    }

so basically my $result is an array with the value I need (employees names, book titles, whatever...)

my question:

I dont want to discuss here the MD5 or using a salt, but given this is my code already implemented, and is already spread in more than 50 files, there is a way to transform my code to a PDO approach?

I must say I don't know anything about PDO approach, i just saw some examples but they were too theory-y and not enough context...here i have a specific context to solve ...

PDO allows prepared statements, so your code would look something like this:

$pdo = new PDO( ... params ... );
$stmt = $pdo->prepare("SELECT user_id,user_email,user_pass FROM user_tb where user_email = ? AND user_pass = MD5( ? ) ");

// If you have a User class, you can load it 
// otherwise you get an array
$stmt->setFetchMode(PDO_FETCH_CLASS, 'User');

$stmt->execute(array($_POST["e"], $_POST["p"]));
$user = $stmt->fetch();

There's a caveat: If there is any chance the query log could be read by someone else (running on a shared server for example) you should hash the password first before sending it to PDO, but anyone who was using ' or another character that was escaped in their password will need to reset, because the hash will then be different.

For more about fetch mode magic, see http://www.php.net/manual/en/pdostatement.setfetchmode.php

First of all, the PHP Data Objects Extension is simply a mechanism used to access and use databases. If you want to learn how to use the PDO library, check out the documentation. You can create a secure database implementation without the use of PHP's PDO extension, though.

Your current implementation isn't too bad, but I would definitely recommend NOT passing user credentials via URI query (ie. use $_POST instead of $_GET for your more sensitive parameters).