如何从PHP MySQL SQL注入易受攻击的查询转到MySQLi不易受攻击的查询 [英] How to go from php MySQL sql injection vulnerable query to a MySQLi not vulnerable query

问题描述

我正在学习MySQLi，以使我的站点不容易受到SQL注入的攻击(现在已到现在)，但是当我尝试将旧查询转换"为MySQLi语句时，我感到困惑，所以希望您能为我提供一些帮助例子，所以我可以得到它.非常感谢！.

im learning MySQLi in order to make my site not vulnerable to SQL injections (wich is now) but i get confuse when i was trying to "translate" my old querys to MySQLi statements, so i hope you can help me with some examples so i can get it. Thanks a lot!.

更新我的网站计数器

$sql = "UPDATE post SET counter = counter+1 WHERE id=".$tget;

排序我的评论

$info=mysql_query("SELECT * FROM `comments` WHERE idpost=" . $tget . " AND active=1 ORDER BY datetime DESC");

保存评论

$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`) VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" . addslashes($_POST['comment']) . "', NOW(), '" . addslashes($_POST['name']) . "', '1');";

如果您可以向我解释如何从此处转到MySQLi，那么我可以完成其他查询.

If you can explain me how to go from here to MySQLi i can finish with the others querys.

顺便说一句，如果您(专家)认为还有比MySQLi更好的保护我免受sql注入攻击的方法，请告诉我.

And by way, if you (expert) consider that there is other way to protect me from sql injections better than MySQLi, please tell me about it.

推荐答案

$conn = new mysqli(…);
$sql = "UPDATE post SET counter = counter+ 1 WHERE id= ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $tget);
$stmt->execute();

在bind_param的第一个参数中，使用字符串i，s，d和b设置参数类型:

In the first argument to bind_param, use a string of i, s, d and b to set the parameter types:

$stmt = $conn->prepare("INSERT INTO mytable (int_column, string_column, double_column, blob_column, another_int_column VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param("isdbi", $int_val, $string_val, $double_val, $blob_val, $another_int_val);
$stmt->execute();

这篇关于如何从PHP MySQL SQL注入易受攻击的查询转到MySQLi不易受攻击的查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！