mirror of
https://gitee.com/ulthon/ulthon_information.git
synced 2026-07-01 18:32:48 +08:00
fix(security): DebugMysql日志驱动使用PDO预处理防止SQL注入
This commit is contained in:
@@ -52,6 +52,11 @@ class DebugMysql implements LogHandlerInterface
|
||||
|
||||
$log_key = uniqid();
|
||||
|
||||
$columns = 'level,content,create_time,create_time_title,uid,app_name,controller_name,action_name';
|
||||
$placeholders = '?,?,?,?,?,?,?,?';
|
||||
$sql = "INSERT INTO {$this->tableName} ({$columns}) VALUES ({$placeholders})";
|
||||
$stmt = $this->pdo->prepare($sql);
|
||||
|
||||
foreach ($log as $log_level => $log_list) {
|
||||
foreach ($log_list as $key => $log_item) {
|
||||
|
||||
@@ -59,30 +64,16 @@ class DebugMysql implements LogHandlerInterface
|
||||
$log_item = json_encode($log_item, JSON_UNESCAPED_UNICODE);
|
||||
}
|
||||
|
||||
$log_data = [
|
||||
'level' => $log_level,
|
||||
'content' => $log_item,
|
||||
'create_time' => $create_time,
|
||||
'create_time_title' => $create_time_title,
|
||||
'uid' => $log_key,
|
||||
'app_name' => $app_name,
|
||||
'controller_name' => $controller_name,
|
||||
'action_name' => $action_name,
|
||||
];
|
||||
|
||||
foreach ($log_data as $key => &$value) {
|
||||
$value = str_replace('\'', '\\\'', $value);
|
||||
}
|
||||
|
||||
$data_keys = array_keys($log_data);
|
||||
|
||||
$data_keys_in_sql = join(',', $data_keys);
|
||||
|
||||
$data_values_in_sql = join('\',\'', $log_data);
|
||||
|
||||
$sql = "INSERT INTO {$this->tableName} ($data_keys_in_sql) VALUES ('$data_values_in_sql');";
|
||||
|
||||
$this->pdo->exec($sql);
|
||||
$stmt->execute([
|
||||
$log_level,
|
||||
$log_item,
|
||||
$create_time,
|
||||
$create_time_title,
|
||||
$log_key,
|
||||
$app_name,
|
||||
$controller_name,
|
||||
$action_name,
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user