sprintf()如何防止SQL注入? [英] How does sprintf() protect against SQL injection?
本文介绍了sprintf()如何防止SQL注入?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我听说sprintf()
可以防止SQL注入.是真的吗如果可以,怎么办?
I have heard that sprintf()
protects against SQL injection. Is it true? If so, how?
为什么人们建议像这样编写查询:
Why people are recommending to write query like this:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);
推荐答案
sprintf不会保护您!它仅替换%s
sprintf won't protect you! It only replaces the %s
您必须这样mysql_real_escape_string:
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
更安全的注射
注意:我建议您看一下 PDO ,这是我喜欢用于DBconections和查询的
note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries
这篇关于sprintf()如何防止SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文