在MySQLi上使用bind_param()时，是否需要转义数据以防止SQL注入? [英] Do I need to escape data to protect against SQL injection when using bind_param() on MySQLi?

问题描述

正如标题所述，使用bind_param()时是否必须转义用户输入?还是在内部完成?

As the title says, do I have to escape user input when using bind_param() or is that done internally?

谢谢.

推荐答案

不，您不需要在绑定参数时转义数据以防止SQL注入.

No, you do not need to escape data to protect against SQL injection when binding parameters.

但这不会免除您验证所说数据的麻烦.

This does not absolve you from validating said data though.

绑定参数时，不会进行转义(内部或其他方式).准备带有参数占位符的SQL语句，并在执行时传递这些值的值.

When binding parameters, there is no escaping performed (internally or otherwise). An SQL statement is prepared with parameter placeholders and values for these are passed at execution time.

数据库知道什么是参数，并与SQL值插值相对应地对其进行相应处理.

The database knows what parameters are and treats them accordingly as opposed to SQL value interpolation.

这篇关于在MySQLi上使用bind_param()时，是否需要转义数据以防止SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！