在php和mysql中使用占位符以防止注入 [英] using placeholders with php and mysql to prevent injection
本文介绍了在php和mysql中使用占位符以防止注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我了解mysql_已被弃用,但我只是将其用作学习书籍的工具.
I understand mysql_ has been deprecated, but I'm just using it as a tool to learn from a book.
我正在尝试了解占位符,并且当我单击添加记录"时遇到以下错误:
I'm trying to learn about placeholders and I got the following error when I clicked on "add record":
INSERT failed: EXECUTE statement USING @first,@last,@email,@user
Unknown prepared statement handler (statement) given to EXECUTE
使用以下代码:
if (isset($_POST['first']) && isset($_POST['last']) && isset($_POST['user_name']) && isset($_POST['email']))
{
$first = get_post('first');
$last = get_post('last');
$email = get_post('email');
$user_name = get_post('user_name');
// begin placeholde code
$query = 'PREPARE statement FROM "INSERT INTO user_master VALUES(?,?,?,?)"';
mysql_query($query);
$query = 'SET @first = "$first",' . 'SET @last = "$last",' . 'SET @email = "$email",' . 'SET @user_name = "$user_name",';
mysql_query($query);
$query = 'EXECUTE statement USING @first,@last,@email,@user';
mysql_query;
// end placeholder code
if(!mysql_query($query, $db_server)) echo "INSERT failed: $query <br />" . mysql_error() . "<br /><br />";
}
echo <<<END
<form action = "willingLog.html" method="post"><fieldset><legend>Sign Up:</legend> <pre>
First <input type="text" name="first" />
Last <input type="text" name="last" />
Email <input type="text" name="email" />
Username <input type="text" name="user_name" />
<input type="submit" value="AD RECORD" />
</pre></fieldset></form>
END;
// also from placeholder code
$query = 'DEALLOCATE PREPARE statement';
mysql_query($query);
// end placeholder code
推荐答案
您的代码有2个错误.
- 您试图在一次调用mysql_query的过程中运行多个查询,而您必须分别运行每个查询 您正在使用的
- 内联预处理语句无用,无法防止sql注入,因为您以通常的方式创建SQL查询,直接添加数据.因此,您必须像往常一样设置其格式,从而使准备好的语句变得毫无用处.
- You are trying to run several queries in one call to mysql_query, while you have to run each of them separately
- inline prepared statements you're using are useless to prevent sql injections, as you are creating an SQL query the usual way, adding data directly. So, you have to format it as usual, making prepared statements quite useless.
因此,如果Scarlett O'Hara或Bobby Tables决定加入您的网站,那么您就麻烦了.
So, if Scarlett O'Hara or Bobby Tables will decide to join your site - you're in trouble.
因此.
- 仅使用内联准备好的语句在控制台 中使用它们
- 如果要使用PHP应用程序中的本机预处理语句,请使用PDO.
-
始终正确设置查询的格式,即
- Use inline prepared statements only to play with them in console
- If you want to use native prepared statements from PHP application - use PDO.
Always format your queries properly, i.e.
$last = mysql_real_escape_string($_POST['last']);
如果要在查询中将其作为字符串插入
if you going to insert it as a string in your query
这篇关于在php和mysql中使用占位符以防止注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
