这是将表单数据插入MySQL数据库的安全方法吗? [英] Is this a secure method to insert form data into a MySQL database?

问题描述

可能重复:
如何防止PHP中的SQL注入?

Possible Duplicate:
How can I prevent SQL injection in PHP?

这是w3schools.org上的示例:

This is the example on w3schools.org:

<html>
    <body>
        <form action="insert.php" method="post">
            Firstname: <input type="text" name="firstname" />
            Lastname: <input type="text" name="lastname" />
            Age: <input type="text" name="age" />
            <input type="submit" />
        </form>
    </body>
</html>

文件insert.php:

<?php
    $con = mysql_connect("localhost","peter","abc123");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("my_db", $con);

    $sql="INSERT INTO Persons (FirstName, LastName, Age)
          VALUES
          ('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";

    if (!mysql_query($sql,$con))
    {
        die('Error: ' . mysql_error());
    }
    echo "1 record added";

    mysql_close($con)
?>

我在这里已经阅读了其他问题，但是我找不到直接的答案，因为大多数问题要复杂得多.

I've read through other questions on here, but I couldn't find a direct answer, as most were much more complicated.

我查看了 如何防止SQL注入PHP? ，但是我对如何修改它有些困惑:

I looked at How can I prevent SQL injection in PHP?, but I'm a bit confused on how to modify this:

$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute(array(':column' => $unsafeValue));

假设我使用了上面的HTML表单，并想将字段"firstname"中的数据插入数据库中，它应该是这样吗?还是应该修改column?:

Assuming I used the HTML form above and wanted to insert the data from field 'firstname' into the database, should it look like this? Or am I supposed to modify column?:

$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute(array(':column' => $firstname));

推荐答案

您提供的示例将后var插入数据库中，而无需首先分析它们是否有恶意用户输入.在将它们与数据库交互之前，请使用类型转换，转义/过滤功能，准备好的语句等.

The example you provided inserts the post vars into the database without first analyzing them for evil user input. Use type casting, escaping/filter functions, prepared statements etc. before using them to interact with your DB.

要遵循的一般规则是永远不要信任用户输入.永远！

A general rule to go by is to never trust user input. EVER!

签出:在PHP中停止SQL注入的最佳方法

针对您的问题，这是如何使用PDO准备好的语句处理整个表格.

In response to your question, here is how you'd handle the entire form using PDO prepared statements.

$stmt = $db->prepare('INSERT INTO Persons (FirstName, LastName, Age) VALUES (:first_name, :last_name, :age)');

$stmt->execute(array(':first_name' => $first_name,':last_name' => $last_name, ':age' => $age));

如果您只想按要求在记录中插入一列，则语法为:

If you just want to insert one column in the record like you asked, the syntax would be:

$stmt = $db->prepare('INSERT INTO Persons (FirstName) VALUES (:first_name)');

$stmt->execute(':first_name', $first_name);

这篇关于这是将表单数据插入MySQL数据库的安全方法吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！