正确准备语句的语法 [英] Getting the syntax of prepared statements right

问题描述

我发现有必要在一个我所知甚少的领域中工作.我必须保护一个使用大约20个MySQL SELECT调用向网站访问者提供信息的网站数据库.呼叫全部采用以下形式:

I am finding it necessary to work in an area that I have very little knowledge in. I have to secure a website database that uses about 20 MySQL SELECT calls to supply information to website visitors. The calls all take the form of:

$leadstory = "-1";
if (isset($_GET['leadstory'])) {
  $leadstory = $_GET['leadstory'];
}

$query_News = "SELECT * FROM news WHERE lead_story = $leadstory";
$News = mysql_query($query_News, $HDAdave) or die(mysql_error());
$row_News = mysql_fetch_assoc($News);
$totalRows_News = mysql_num_rows($News);

在上一篇文章中，我问这些SELECT语句是否容易受到sql插入攻击.大家可能都知道答案是肯定的.我已经阅读并理解我需要使用mysqli以及类似以下的内容:

In a previous post I asked if these SELECT statements were vulnerable to sql insertion attacks. The answer was yes as you all probably know. I have done some reading and understand that I need to use mysqli and something like the following:

$statement = $db_connection->prepare("SELECT * FROM news WHERE lead_story = ?;';");
$statement->bind_param("s", $leadstory);
$statement->execute();
$row_News = $statement->fetchAll();

我有几个问题.

1. 如果连接失败，我是否需要输入"或死"类型的行?

如何分配 $ totalRows_News ?

我还需要使用mysql_real_escape_string"清理" $leadstory变量吗?

Do I also need to "clean" the $leadstory variable with mysql_real_escape_string?

推荐答案

使用PDO将使您的生活更加轻松

Using PDO would make your life so much easier

$pdo = new PDO(...);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $pdo->prepare('SELECT * FROM news WHERE lead_story = ?');
$stmt->bindParam(1, $leadStory);
$stmt->execute();

$allRows_News = $stmt->fetchAll();
$totalRows_News = count($allRows_News);

这篇关于正确准备语句的语法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！