fix(security): DebugMysql日志驱动使用PDO预处理防止SQL注入

This commit is contained in:
augushong
2026-05-14 23:22:01 +08:00
parent 37259cfb4b
commit f60d1abff6

View File

@@ -52,6 +52,11 @@ class DebugMysql implements LogHandlerInterface
$log_key = uniqid();
$columns = 'level,content,create_time,create_time_title,uid,app_name,controller_name,action_name';
$placeholders = '?,?,?,?,?,?,?,?';
$sql = "INSERT INTO {$this->tableName} ({$columns}) VALUES ({$placeholders})";
$stmt = $this->pdo->prepare($sql);
foreach ($log as $log_level => $log_list) {
foreach ($log_list as $key => $log_item) {
@@ -59,30 +64,16 @@ class DebugMysql implements LogHandlerInterface
$log_item = json_encode($log_item, JSON_UNESCAPED_UNICODE);
}
$log_data = [
'level' => $log_level,
'content' => $log_item,
'create_time' => $create_time,
'create_time_title' => $create_time_title,
'uid' => $log_key,
'app_name' => $app_name,
'controller_name' => $controller_name,
'action_name' => $action_name,
];
foreach ($log_data as $key => &$value) {
$value = str_replace('\'', '\\\'', $value);
}
$data_keys = array_keys($log_data);
$data_keys_in_sql = join(',', $data_keys);
$data_values_in_sql = join('\',\'', $log_data);
$sql = "INSERT INTO {$this->tableName} ($data_keys_in_sql) VALUES ('$data_values_in_sql');";
$this->pdo->exec($sql);
$stmt->execute([
$log_level,
$log_item,
$create_time,
$create_time_title,
$log_key,
$app_name,
$controller_name,
$action_name,
]);
}
}