mysqli准备好的语句和mysqli_real_escape_string [英] mysqli prepared statements and mysqli_real_escape_string
问题描述
我当前正在使用mysqli php扩展名.
I'm currently using the mysqli php extension.
传统上,我使用mysqli_real_escape_string来逃避用户输入.但是,我正在研究更改代码(希望以尽可能少的步骤)以使用准备好的语句.
Traditionally I have used mysqli_real_escape_string to escape user input. However I am looking at changing over the code (hopefully in as few steps as possible) to use prepared statements.
我想清楚一点-如果我使用准备好的语句来绑定我的所有变量,我可以确信sql注入是不可能的吗? (并完全省去mysqli_real_escape_string吗?)
I want to be clear on this - provided I use prepared statements to bind all of my variables, can I be confident that sql injection is impossible? (And dispense completely with mysqli_real_escape_string?)
谢谢
推荐答案
如果正确绑定所有变量,则可以大大降低SQL注入的风险.如果您动态创建SQL,例如仍然可以进行SQL注入:
If you correctly bind all your variables you can dramatically reduce the risk of SQL injection. It is still possible to get an SQL injection if you create SQL dynamically for example:
'SELECT * FROM ' . $tablename . ' WHERE id = ?'
但是,如果避免这种情况,则不太可能出现问题.
But if you avoid things like this it is unlikely you will have problems.
这篇关于mysqli准备好的语句和mysqli_real_escape_string的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!