sprintf()如何防止SQL注入? [英] How does sprintf() protect against SQL injection?

查看：177 发布时间：2020/5/15 1:15:14 php mysql sql-injection

本文介绍了sprintf()如何防止SQL注入?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

我听说sprintf()可以防止SQL注入.是真的吗如果可以，怎么办?

I have heard that sprintf() protects against SQL injection. Is it true? If so, how?

为什么人们建议像这样编写查询:

Why people are recommending to write query like this:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);

sprintf不会保护您！它仅替换%s

sprintf won't protect you! It only replaces the %s

您必须这样mysql_real_escape_string:

you must mysql_real_escape_string so:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));

更安全的注射

注意:我建议您看一下 PDO ，这是我喜欢用于DBconections和查询的

note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries

这篇关于sprintf()如何防止SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文