mysqli_stmt_bind_param SQL注入 [英] mysqli_stmt_bind_param SQL Injection

查看：87 发布时间：2020/5/16 18:53:21 php mysqli security

本文介绍了mysqli_stmt_bind_param SQL注入的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

使用准备好的语句和mysqli_stmt_bind_param时，仍有注入风险吗?

Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param?

例如:

$malicious_input = 'bob"; drop table users';
mysqli_stmt_bind_param($stmt, 's', $malicious_input);

mysqli_stmt_bind_param在后台将此查询字符串传递给mysql:

Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql:

SET @username = "bob"; drop table users";

它是通过API执行SET命令还是使用某种类型的保护措施来防止这种情况发生?

Or does it perform the SET command through the API, or use some type of protection to keep this from happening?