connection

$_pdo = new Data('mysql:host='.$db_host.';dbname='.$db_name.';port='.$db_port, $db_user, $db_pass, array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES '.$charset));

Variables come from form. User can make a sql injection if I don't strip this variables?

---

If you are accepting input from a form to create the connection I would probably use some sanitization functions to clean it up before using it. If this is being stored in a text file or a database it would be a good idea to sanitize before it is saved as well before it is used.

http://php.net/manual/en/function.filter-var.php

$db_host = filter_var($db_host,FILTER_SANITIZE_FULL_SPECIAL_CHARS);

Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like htmlspecialchars(), this filter is aware of the default_charset and if a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string. http://www.php.net/manual/en/filter.filters.sanitize.php

---

Connect credentials should not come from user under any circumstances.
You have to store them in your server in some config file. And then use with connect string.
Please note that charset should be set in DSN, not options.

include 'settings.php';
$dsn = "mysql:host=$db_host;dbname=$db_name;port=$db_port;charset=$charset";
$pdo = new Data($dsn, $db_user, $db_pass);

链接地址: http://www.djcxy.com/p/93794.html

上一篇: PDO从数组中准备语句和bindValues

下一篇: 连接