tag:forum.selfhtml.org,2005:/self
Sicherheits behandlung von Variablen bei PDO Datenbank Abfragen – SELFHTML-Forum
2018-05-17T13:10:53Z
https://forum.selfhtml.org/self/2018/may/17/sicherheits-behandlung-von-variablen-bei-pdo-datenbank-abfragen/1722282#m1722282
Urs
2018-05-17T10:58:27Z
2018-05-17T10:58:27Z
Sicherheits behandlung von Variablen bei PDO Datenbank Abfragen
<p>Hallo,</p>
<p>ich versuche gerade in pdo einzusteigen.
Ich habe gelesen, das dies ja die ganze Datenbank abfrage sicherer machen soll.
Jetzt habe ich diesen Teil einen Scriptes und das einzige was bei einem übergebenen String
behandelt wird ist trim.
Muss eine VAR noch weiterbehandelt werden zu Sicherheit oder erledigt das das PDO, um sie in der Datenbank abzuspeichern?</p>
<pre><code class="block language-php">
<span class="token keyword">if</span><span class="token punctuation">(</span><span class="token keyword">isset</span><span class="token punctuation">(</span><span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'save'</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token variable">$save</span> <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'save'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token keyword">if</span><span class="token punctuation">(</span><span class="token variable">$save</span> <span class="token operator">==</span> <span class="token string single-quoted-string">'personal_data'</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token variable">$vorname</span> <span class="token operator">=</span> <span class="token function">trim</span><span class="token punctuation">(</span><span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'vorname'</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$nachname</span> <span class="token operator">=</span> <span class="token function">trim</span><span class="token punctuation">(</span><span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'nachname'</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$statement</span> <span class="token operator">=</span> <span class="token variable">$pdo</span><span class="token operator">-></span><span class="token function">prepare</span><span class="token punctuation">(</span><span class="token string double-quoted-string">"UPDATE users SET vorname = :vorname, nachname = :nachname, updated_at=NOW() WHERE id = :userid"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$result</span> <span class="token operator">=</span> <span class="token variable">$statement</span><span class="token operator">-></span><span class="token function">execute</span><span class="token punctuation">(</span><span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'vorname'</span> <span class="token operator">=></span> <span class="token variable">$vorname</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">'nachname'</span><span class="token operator">=></span> <span class="token variable">$nachname</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">'userid'</span> <span class="token operator">=></span> <span class="token variable">$user</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'id'</span><span class="token punctuation">]</span> <span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">}</span>
</code></pre>
https://forum.selfhtml.org/self/2018/may/17/sicherheits-behandlung-von-variablen-bei-pdo-datenbank-abfragen/1722285#m1722285
Rolf B
2018-05-17T11:45:18Z
2018-05-18T05:20:21Z
Sicherheits behandlung von Variablen bei PDO Datenbank Abfragen
<p>Hallo Urs,</p>
<p>wenn Du mit prepared statements und Host-Variablen arbeitest, kümmert sich PDO um die kontextgerechte Behandlung. Du musst nichts weiter tun.</p>
<p>Aber:</p>
<ul>
<li>den Doppelpunkt musst Du mit in die Array-Keys übernehmen (siehe die <a href="http://php.net/manual/de/pdostatement.execute.php" rel="noopener noreferrer">Beispiele zu Execute</a>)</li>
<li>du brauchst keine Temp-Variablen. Du kannst beim Erzeugen des Parameter-Array direkt $_POST-Elemente angeben, z.B. so:</li>
</ul>
<pre><code class="block language-php"><span class="token variable">$result</span> <span class="token operator">=</span> <span class="token variable">$statement</span><span class="token operator">-></span><span class="token function">execute</span><span class="token punctuation">(</span>
<span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">':vorname'</span> <span class="token operator">=></span> <span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'vorname'</span><span class="token punctuation">]</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">':nachname'</span><span class="token operator">=></span> <span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'nachname'</span><span class="token punctuation">]</span><span class="token punctuation">,</span>
<span class="token string single-quoted-string">':userid'</span> <span class="token operator">=></span> <span class="token variable">$user</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'id'</span><span class="token punctuation">]</span> <span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre>
<p>Du kannst Dir auch noch überlegen, auf die neuere Notation für Arrays umzusteigen (seit PHP 5.4):</p>
<pre><code class="block language-php"><span class="token comment">// alt:</span>
<span class="token keyword">ARRAY</span><span class="token punctuation">(</span><span class="token string single-quoted-string">':vorname'</span> <span class="token operator">=></span> <span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'vorname'</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">':nachname'</span><span class="token operator">=></span> <span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'nachname'</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">':userid'</span> <span class="token operator">=></span> <span class="token variable">$user</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'id'</span><span class="token punctuation">]</span> <span class="token punctuation">)</span>
<span class="token comment">// neu:</span>
<span class="token punctuation">[</span><span class="token string single-quoted-string">':vorname'</span> <span class="token operator">=></span> <span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'vorname'</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">':nachname'</span><span class="token operator">=></span> <span class="token variable">$_POST</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'nachname'</span><span class="token punctuation">]</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">':userid'</span> <span class="token operator">=></span> <span class="token variable">$user</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'id'</span><span class="token punctuation">]</span><span class="token punctuation">]</span>
</code></pre>
<p><em>Rolf</em></p>
<div class="signature">-- <br>
sumpsi - posui - clusi
</div>
https://forum.selfhtml.org/self/2018/may/17/sicherheits-behandlung-von-variablen-bei-pdo-datenbank-abfragen/1722306#m1722306
Urs
2018-05-17T13:10:53Z
2018-05-17T13:10:53Z
Sicherheits behandlung von Variablen bei PDO Datenbank Abfragen
<p>blöde Frage!</p>
<p>Es funktioniert aber auch ohne den Doppeltpunkt.</p>
<p>Es funktinoert ohne</p>
<p>'vorname' => $vorname,</p>
<p>und mit</p>
<p>':vorname' => $vorname,</p>
<pre><code class="block language-php"><span class="token variable">$statement</span> <span class="token operator">=</span> <span class="token variable">$pdo</span><span class="token operator">-></span><span class="token function">prepare</span><span class="token punctuation">(</span><span class="token string double-quoted-string">"UPDATE users SET vorname = :vorname, nachname = :nachname, updated_at=NOW() WHERE id = :userid"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$result</span> <span class="token operator">=</span> <span class="token variable">$statement</span><span class="token operator">-></span><span class="token function">execute</span><span class="token punctuation">(</span><span class="token keyword">array</span><span class="token punctuation">(</span><span class="token string single-quoted-string">'vorname'</span> <span class="token operator">=></span> <span class="token variable">$vorname</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">'nachname'</span><span class="token operator">=></span> <span class="token variable">$nachname</span><span class="token punctuation">,</span> <span class="token string single-quoted-string">'userid'</span> <span class="token operator">=></span> <span class="token variable">$user</span><span class="token punctuation">[</span><span class="token string single-quoted-string">'id'</span><span class="token punctuation">]</span> <span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre>