我可以完全通过不带bind_param的PDO Prepared语句来防止SQL注入吗? [英] Can I fully prevent SQL injection by PDO Prepared statement without bind_param?

问题描述

我对PDO还是陌生的，如果您觉得我在问愚蠢的问题，对不起.
没有 Bind_param 的普通和简单PDO准备语句:

I am very new to PDO, sorry if you feel I am asking stupid question.
Normal and simple PDO Prepared statement without Bind_param :

$sql = $db->prepare('SELECT * FROM employees WHERE name = ?');
$sql->execute(array($name));
$rows = $sql->fetchAll();

使用 Bind_param :

$sql->bind_param("s", $name); //s means the database expects a string

我听说有人说:保护来自使用绑定参数，而不是来自准备好的语句" .我可以知道什么是绑定参数吗? Bind_param 是绑定参数吗?如果是，那么没有 Bind_param 的普通且简单的PDO Prepared语句不能完全阻止SQL注入吗?

I heard people said : "The protection comes from using bound parameters, not from using prepared statement". May I know what is bound parameters? Bind_param is bound parameter? If yes, then the normal and simple PDO Prepared statement without Bind_param CANNOT fully prevent SQL injection?

推荐答案

您做对了.绑定的参数是在"prepared statement"中使用?声明的参数.然后使用execute()将它们的值作为要绑定到该语句的参数进行绑定.

You're doing it right. The bound parameters are the one declared in a "prepared statement" using ?. Then they are bound using execute() with their value as a parameter to be bound to the statement.

这篇关于我可以完全通过不带bind_param的PDO Prepared语句来防止SQL注入吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！