PHP:PDO(SQLite)用户输入

 

我正在写一个小问答网络应用程序,它将允许互联网用户提交问题的答案(只能提交答案,而不是问题)。

我希望对接收用户输入的方法有所想法,并将其插入数据库中,主要是从安全角度考虑。 我已经积极地尝试解决有效负载( strlen() ),XSS( htmlspecialchars() ),SQL注入( prepare() )的权重,并且用户正在提交对实际存在的问题的答案(通过执行一个SELECT查询“幕后”)。 

public function submitAnswer($qid, $payload) {
    // escape/sanitize input
    $answer = htmlspecialchars($payload, ENT_QUOTES);
    $unix_time = time();
    $qid = preg_replace('/D/', '', $qid);

    // get length of question from db
    $this->sth = $this->dbh->prepare("SELECT question, LENGTH(question) as length FROM questions where id = :id");
    $this->sth->execute(array(':id' => $qid));
    $this->sth->bindColumn('length', $q_length);
    $result = $this->sth->fetch(PDO::FETCH_BOUND);

    // make sure question exists and check the combined length of q & a
    if ($result && ($q_length + strlen($answer) < 130)) {
        try {
            $this->hsth = $this->dbh->prepare("INSERT INTO answers (unix_time, qid, answer) values ($unix_time, :qid, :answer)");
            $this->sth->execute(array(
                ':qid' => $qid,
                ':answer' => $answer
            ));
            return array('status' => '0', 'unix_time' => $unix_time, 'qid' => $qid, 'length' => strlen($answer));
        } catch (PDOException $e) {
            return array('status' => '1', 'unix_time' => time(), 'message' => 'db error');
        }
    } else {
        return array('status' => '1', 'unix_time' => time(), 'message' => 'invalid input');
    }
}

更确切地说,函数( htmlspecialchars()prepare() )是否提供了对XSS和SQL注入的足够保护?

链接地址: http://www.djcxy.com/p/21651.html

上一篇: PHP: PDO (SQLite) user input

下一篇: Do I need to sanitize the user input Laravel