有没有人知道如果有一种干净的方式(或任何方式)来改变PDO的bindParam?
我们正在为我们的网站(输入过滤器)实施额外的安全措施,到目前为止,似乎是将它添加到我们有效的每个网站的最佳方式(我们拥有的每个网站都不同但他们的东西是他们的有共同点的是它们都使用PDO)以某种方式使PDO bindParam在它的参数上调用我们的函数,这样bindParam中的每一个输入都会被适当地过滤。
谢谢!
答案 0 :(得分:0)
通过扩展PDO类来解决这个问题:
class CustomDBConnection {
private static $conn;
// either create a new connection or return an existing one
public static function getInstance() {
if (self::$conn == null) {
global $db_hostname, $db_database, $db_username, $db_password; // probably better to store these within this class but this was quicker
self::$conn = new CustomPDO("mysql:host=$db_hostname;dbname=$db_database;charset=utf8", $db_username, $db_password, array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
}
return self::$conn;
}
}
class CustomPDO extends PDO {
public function __construct($dsn, $username = null, $password = null, $driver_options = array()) {
parent::__construct($dsn, $username, $password, $driver_options);
// Attach customised PDOStatement class
$this->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('CustomPDOStatement', array($this)));
}
}
class CustomPDOStatement extends PDOStatement {
private $conn;
protected function __construct($conn) {
$this->conn = $conn; // this is most likely useless at this moment
}
public function bindParam($parameter, &$variable, $data_type = PDO::PARAM_STR, $length = null, $driver_options = null) {
$variable = InputProtection::detachEvilHTML($variable);
parent::bindParam($parameter, $variable, $data_type, $length, $driver_options);
}
public function bindValue($parameter, $value, $data_type = PDO::PARAM_STR) {
$value = InputProtection::detachEvilHTML($value);
parent::bindValue($parameter, $value, $data_type);
}
}
所以我现在基本上$db = CustomDBConnection::getInstance();而不是$db = new PDO(.......);