此查询注入证明吗? [英] Is this query injection proof?
本文介绍了此查询注入证明吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在使用PDO与我的数据库通信,我想知道是否强制转换这样的类型
I am using PDO to talk to my database, and I wonder if casting a type like this
$dbh->query("SELECT * FROM recipes WHERE id=".(int)$id);
足以防止sql注入吗?在这种情况下,$ id始终是整数.
is sufficient to prevent sql injection? In this case $id is always an integer.
我还想知道,如果变量是字符串,那么防止这种语句注入的好方法是什么.
I also wonder what would be a good way to prevent an injection in this kind of statement if the variable was a string.
推荐答案
是.强制转换为int可以防止所有讨厌的SQL注入.
Yes. Casting to int prevents all the nasty SQL injection possibilities.
如果变量是字符串,则应使用准备的语句通过它.
If the variable were a string, you should use prepared statements to pass it.
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql);
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
这篇关于此查询注入证明吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文