1
奇怪的事情正在發生,因爲PDO應該逃避任何XSSPDO bindValue不逃避
這裏是我的PDO類
<?php
class Database {
private $host = 'localhost';
private $user = 'root';
private $pass = '';
private $dbname = '';
private static $_instance;
private $dbh;
private $stmt;
private $error;
private function __construct() {
if($this->dbh != null)
return $this->dbh;
$dsn = 'mysql:host=' . $this->host . ';dbname=' . $this->dbname;
$options = array(
PDO::ATTR_PERSISTENT => true,
PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING, //ERRMODE_SILENT
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8",
);
try {
$this->dbh = new PDO($dsn, $this->user, $this->pass, $options);
}
catch(PDOException $e) {
echo '__construct -> ';
var_dump($e->getMessage());
}
}
private function __clone(){
}
public static function getInstance() {
if(!self::$_instance) {
self::$_instance = new Database();
}
return self::$_instance;
}
public function query($query) {
try {
$this->stmt = $this->dbh->prepare($query);
}
catch(PDOException $e) {
echo 'query -> ';
var_dump($e->getMessage());
}
}
public function bindValue($param, $value, $type) {
$this->stmt->bindValue($param, $value, $type);
}
public function execute() {
try {
return $this->stmt->execute();
}
catch(PDOException $e) {
echo 'execute -> ';
var_dump($e->getMessage());
}
}
}
?>
...這裏是插入註釋數據庫處理程序
$this->db->query("INSERT INTO `comments` (`user_id`, `post_id`, `text`, `added`) VALUES (:user_id, :post_id, :text, :added)");
$this->db->bindValue(':user_id', $user_id, PDO::PARAM_INT);
$this->db->bindValue(':post_id', $recipe_id, PDO::PARAM_INT);
$this->db->bindValue(':text', $_POST['text'], PDO::PARAM_STR);
$this->db->bindValue(':added', time(), PDO::PARAM_INT);
$this->db->execute();
並且輸入不會被「>」>「>」>「> alert(1)轉義;」
...所以這有什麼錯?PDO
PDO除了SQL上下文(如果有的話)不會轉義。 – mario
你必須逃避你的輸出。 PDO沒有理由不保存字符串''「>'>''>」> alert(1);「'。 –
@ Don'tPanic stackoverflow removed