分享程序员开发的那些事...
更新时间:2023-12-02 09:33:34
您的代码有两个问题.
您正在使用模拟准备好的语句.这是 PDO_MYSQL 驱动程序的默认行为.要规避它,您应该添加:
You are using emulated prepared statements. This is the default behavior for PDO_MYSQL driver. To circumvent it, you should add:
$odb->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
结合与数据库通信的缺失字符集,可以使您的代码对注入开放.要建立连接,您应该使用:
In combination with missing charset for the communication with DB, which can make your code open to injections. For establishing the connection you should use:
$odb = new \PDO('mysql:host=localhost;dbname=******;charset=UTF-8',
'user', 'pass');
您的密码散列方法不安全(或者实际上不存在).相反,您应该使用 crypt() 函数使用 CRYPT_BLOWFISH 或 PBKDF2 和每个密码的不同盐.
Your method of hashing password is insecure (or, actually, does not exist). Instead you should use crypt() function with CRYPT_BLOWFISH or PBKDF2 and different salt for each password.
另外,你可以考虑使用 bindParam() 设置命名参数的方法,因为通过 execute() 设置它们会将值绑定为 PDO::PARAM_STR,但是有 其他选项,您可能会觉得有用.
Also , you might consider using bindParam() method for seting the aluse of named parameters, since setting them through execute() would bind the values as PDO::PARAM_STR, but there are other options, that you might find useful.