bind_param完成什么工作? [英] What does bind_param accomplish?
问题描述
我正在学习避免SQL注入,我有点困惑.
I'm learning about avoiding SQL injections and I'm a bit confused.
使用bind_param时,我不明白目的.在手册页上,我找到了以下示例:
When using bind_param, I don't understand the purpose. On the manual page, I found this example:
$stmt = mysqli_prepare($link, "INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssd', $code, $language, $official, $percent);
$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;
现在,假设这4个变量是用户输入的,我不明白这是如何防止SQL注入的.据我了解,他们仍然可以在其中输入任何内容.
Now, assuming those 4 variables were user-inputted, I don't understand how this prevents SQL injections. By my understanding, they can still input whatever they want in there.
我也找不到那里的'sssd'解释.它有什么作用?是什么使它更安全?
I also can't find an explanation for the 'sssd' in there. What does it do? Is that what makes it secure-er?
最后一个问题:我读到另一个问题,即mysqli_real_escape_string已过时,但手册中并未说明.如何弃用?出于某种原因,它不能再转义特殊字符吗?
Final question: I read on another question that mysqli_real_escape_string is deprecated, but it doesn't say that in the manual. How is it deprecated? Can it not escape special characters anymore for some reason?
注意:这个问题解释了bind_param的作用,但是我仍然不明白为什么它更安全或更受保护. Bind_param说明
Note: This question explained what bind_param does, but I still don't understand why it is any safer or more protected. Bind_param explanation
推荐答案
现在,假设这四个变量是用户输入的,我不明白 如何防止SQL注入.据我了解,他们仍然可以 在其中输入他们想要的任何内容.
Now, assuming those 4 variables were user-inputted, I don't understand how this prevents SQL injections. By my understanding, they can still input whatever they want in there.
其中的主要原理是使用准备好的语句,该语句用于将安全查询发送到db服务器,这可以通过转义不属于实际查询的用户输入,并在不包含任何查询的情况下检查查询(where子句)来完成.在使用任何参数之前检查查询的有效性.
The main principle there is using prepared statement which is designed for sending safe query to db server, this can be done by escaping user input which is not part of the real query, and also checking the query without any (where clause) to check the validity of the query before using any parameters.
从此问题开始:
服务器日志: 通过使用prepared语句,db服务器将检查不带任何参数的查询,在此阶段,可以在绑定任何参数之前检测到错误,然后,如果查询有效,则参数也将被发送到服务器以完成查询.查询. By Using prepared statement, db server will check the query without any parameter, at this stage, errors can be detected before binding any parameter, then, if the query was valid, parameters also will be send to the server for finalizing the query. 从PHP手册 http://php.net/manual/zh-CN /mysqli.quickstart.prepared-statements.php : 转义和SQL注入 Escaping and SQL injection 绑定变量将由服务器自动转义.这
服务器将其转义值插入适当的位置
执行之前的语句模板.必须提供一个提示给
服务器为绑定变量的类型,创建一个合适的
转换.有关更多信息,请参见mysqli_stmt_bind_param()函数.
信息. Bound variables will be escaped automatically by the server. The
server inserts their escaped values at the appropriate places into the
statement template before execution. A hint must be provided to the
server for the type of bound variable, to create an appropriate
conversion. See the mysqli_stmt_bind_param() function for more
information. .. 我也找不到那里的"sssd"解释.有什么事
做?是什么使它更安全? I also can't find an explanation for the 'sssd' in there. What does it
do? Is that what makes it secure-er? 答案在这里: http://php.net/manual /en/mysqli-stmt.bind-param.php
最后一个问题:我读了另一个问题,
mysqli_real_escape_string已被弃用,但并未在
手册.如何弃用?不能逃脱特殊字符
出于某种原因了吗? Final question: I read on another question that
mysqli_real_escape_string is deprecated, but it doesn't say that in
the manual. How is it deprecated? Can it not escape special characters
anymore for some reason? 您能提供参考吗?我认为您对( Can you give a reference? I think you misunderstood with ( 这篇关于bind_param完成什么工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋! 130802 23:39:39 175 Connect ****@localhost on testdb
175 Prepare SELECT * FROM users WHERE username =?
175 Execute SELECT * FROM users WHERE username =0
175 Quit
i
corresponding variable has type integer
d
corresponding variable has type double
s
corresponding variable has type string
b
corresponding variable is a blob and will be sent in packets
mysql_real_escape_string())mysql_real_escape_string())
