1
奇怪的事情正在发生,因为PDO应该逃避任何XSSPDO bindValue不逃避
这里是我的PDO类
<?php
class Database {
private $host = 'localhost';
private $user = 'root';
private $pass = '';
private $dbname = '';
private static $_instance;
private $dbh;
private $stmt;
private $error;
private function __construct() {
if($this->dbh != null)
return $this->dbh;
$dsn = 'mysql:host=' . $this->host . ';dbname=' . $this->dbname;
$options = array(
PDO::ATTR_PERSISTENT => true,
PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING, //ERRMODE_SILENT
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8",
);
try {
$this->dbh = new PDO($dsn, $this->user, $this->pass, $options);
}
catch(PDOException $e) {
echo '__construct -> ';
var_dump($e->getMessage());
}
}
private function __clone(){
}
public static function getInstance() {
if(!self::$_instance) {
self::$_instance = new Database();
}
return self::$_instance;
}
public function query($query) {
try {
$this->stmt = $this->dbh->prepare($query);
}
catch(PDOException $e) {
echo 'query -> ';
var_dump($e->getMessage());
}
}
public function bindValue($param, $value, $type) {
$this->stmt->bindValue($param, $value, $type);
}
public function execute() {
try {
return $this->stmt->execute();
}
catch(PDOException $e) {
echo 'execute -> ';
var_dump($e->getMessage());
}
}
}
?>
...这里是插入注释数据库处理程序
$this->db->query("INSERT INTO `comments` (`user_id`, `post_id`, `text`, `added`) VALUES (:user_id, :post_id, :text, :added)");
$this->db->bindValue(':user_id', $user_id, PDO::PARAM_INT);
$this->db->bindValue(':post_id', $recipe_id, PDO::PARAM_INT);
$this->db->bindValue(':text', $_POST['text'], PDO::PARAM_STR);
$this->db->bindValue(':added', time(), PDO::PARAM_INT);
$this->db->execute();
并且输入不会被“>”>“>”>“> alert(1)转义;”
...所以这有什么错?PDO
PDO除了SQL上下文(如果有的话)不会转义。 – mario
你必须逃避你的输出。 PDO没有理由不保存字符串''“>'>''>”> alert(1);“'。 –
@ Don'tPanic stackoverflow removed