Moving from mysql real escape to PDO to make it more robust?
let's see a real example; the next code is what ive bene using so far and in ver ha da problem, but recently, due to Sony news etc, i feel i need ot learn more of this topic "security."
so this is my code, these functions below are methods of a class but for time reason i can't show you everything
Connection to my DB
function SQLinit($debug = 0)
{
$svr_msconnect = @mysql_connect($sql["db_host"], $sql["db_login"], $sql["db_pass"]);
@mysql_select_db($sql["db_data"]);
if (!$svr_msconnect)
{
echo mysql_error();
exit;
}
}
function to call queries
function DoQuery($sql, $assoc=0)
{
if (!$svr_msconnect) SQLinit();
$result = mysql_query($sql, $svr_msconnect);
if (mysql_errno())
{
//error alert....
exit;
}
if ($result === TRUE) return array();
$res = array();
if ($assoc)
while ($row = mysql_fetch_assoc($result))
array_push($res, $row);
else
while ($row = mysql_fetch_row($result) )
array_push($res, $row);
return $res;
开发者_如何学JAVA }
and then a real EXAMPLE of simple user authentication:
if(isset($_GET["e"]) && isset($_GET["p"])){
$e = $_GET["e"];
$p = $_GET["p"];
SQLinit();
$e = mysql_real_escape_string($e);
$p = mysql_real_escape_string($p);
$p = md5($p);
$sql = "SELECT user_id,user_email,user_pass FROM user_tb where user_email='$e' AND user_pass= '$p' ";
$result = DoQuery($sql,1);
}
so basically my $result is an array with the value I need (employees names, book titles, whatever...)
my question:
I dont want to discuss here the MD5 or using a salt, but given this is my code already implemented, and is already spread in more than 50 files, there is a way to transform my code to a PDO approach?
I must say I don't know anything about PDO approach, i just saw some examples but they were too theory-y and not enough context...here i have a specific context to solve ...
PDO allows prepared statements, so your code would look something like this:
$pdo = new PDO( ... params ... );
$stmt = $pdo->prepare("SELECT user_id,user_email,user_pass FROM user_tb where user_email = ? AND user_pass = MD5( ? ) ");
// If you have a User class, you can load it
// otherwise you get an array
$stmt->setFetchMode(PDO_FETCH_CLASS, 'User');
$stmt->execute(array($_POST["e"], $_POST["p"]));
$user = $stmt->fetch();
There's a caveat: If there is any chance the query log could be read by someone else (running on a shared server for example) you should hash the password first before sending it to PDO, but anyone who was using ' or another character that was escaped in their password will need to reset, because the hash will then be different.
For more about fetch mode magic, see http://www.php.net/manual/en/pdostatement.setfetchmode.php
First of all, the PHP Data Objects Extension is simply a mechanism used to access and use databases. If you want to learn how to use the PDO library, check out the documentation. You can create a secure database implementation without the use of PHP's PDO extension, though.
Your current implementation isn't too bad, but I would definitely recommend NOT passing user credentials via URI query (ie. use $_POST instead of $_GET for your more sensitive parameters).
精彩评论