修改/添加额外的东西到 PDO bindParam()?
Modifying / Adding extra stuff to PDO bindParam()?
有没有人知道是否有一种干净的方式(或任何方式)来更改 PDO 的 bindParam?
我们正在为我们的网站实施额外的安全措施(输入过滤器),到目前为止,似乎最好的方法是将它有效地添加到我们拥有的每个网站(我们拥有的每个网站都是不同的,但他们的东西共同点是它们都使用 PDO)将以某种方式使 PDO bindParam 在其参数上调用我们的函数,以便 bindParam 中的每个输入都将被适当地过滤。
谢谢!
通过扩展 PDO 解决了这个问题 类:
class CustomDBConnection {
private static $conn;
// either create a new connection or return an existing one
public static function getInstance() {
if (self::$conn == null) {
global $db_hostname, $db_database, $db_username, $db_password; // probably better to store these within this class but this was quicker
self::$conn = new CustomPDO("mysql:host=$db_hostname;dbname=$db_database;charset=utf8", $db_username, $db_password, array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
}
return self::$conn;
}
}
class CustomPDO extends PDO {
public function __construct($dsn, $username = null, $password = null, $driver_options = array()) {
parent::__construct($dsn, $username, $password, $driver_options);
// Attach customised PDOStatement class
$this->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('CustomPDOStatement', array($this)));
}
}
class CustomPDOStatement extends PDOStatement {
private $conn;
protected function __construct($conn) {
$this->conn = $conn; // this is most likely useless at this moment
}
public function bindParam($parameter, &$variable, $data_type = PDO::PARAM_STR, $length = null, $driver_options = null) {
$variable = InputProtection::detachEvilHTML($variable);
parent::bindParam($parameter, $variable, $data_type, $length, $driver_options);
}
public function bindValue($parameter, $value, $data_type = PDO::PARAM_STR) {
$value = InputProtection::detachEvilHTML($value);
parent::bindValue($parameter, $value, $data_type);
}
}
所以我现在基本上 $db = CustomDBConnection::getInstance();
而不是 $db = new PDO(.......);
有没有人知道是否有一种干净的方式(或任何方式)来更改 PDO 的 bindParam?
我们正在为我们的网站实施额外的安全措施(输入过滤器),到目前为止,似乎最好的方法是将它有效地添加到我们拥有的每个网站(我们拥有的每个网站都是不同的,但他们的东西共同点是它们都使用 PDO)将以某种方式使 PDO bindParam 在其参数上调用我们的函数,以便 bindParam 中的每个输入都将被适当地过滤。
谢谢!
通过扩展 PDO 解决了这个问题 类:
class CustomDBConnection {
private static $conn;
// either create a new connection or return an existing one
public static function getInstance() {
if (self::$conn == null) {
global $db_hostname, $db_database, $db_username, $db_password; // probably better to store these within this class but this was quicker
self::$conn = new CustomPDO("mysql:host=$db_hostname;dbname=$db_database;charset=utf8", $db_username, $db_password, array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
}
return self::$conn;
}
}
class CustomPDO extends PDO {
public function __construct($dsn, $username = null, $password = null, $driver_options = array()) {
parent::__construct($dsn, $username, $password, $driver_options);
// Attach customised PDOStatement class
$this->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('CustomPDOStatement', array($this)));
}
}
class CustomPDOStatement extends PDOStatement {
private $conn;
protected function __construct($conn) {
$this->conn = $conn; // this is most likely useless at this moment
}
public function bindParam($parameter, &$variable, $data_type = PDO::PARAM_STR, $length = null, $driver_options = null) {
$variable = InputProtection::detachEvilHTML($variable);
parent::bindParam($parameter, $variable, $data_type, $length, $driver_options);
}
public function bindValue($parameter, $value, $data_type = PDO::PARAM_STR) {
$value = InputProtection::detachEvilHTML($value);
parent::bindValue($parameter, $value, $data_type);
}
}
所以我现在基本上 $db = CustomDBConnection::getInstance();
而不是 $db = new PDO(.......);