此查询注入证明吗? [英] Is this query injection proof?

问题描述

我正在使用PDO与我的数据库通信，我想知道是否强制转换这样的类型

I am using PDO to talk to my database, and I wonder if casting a type like this

$dbh->query("SELECT * FROM recipes WHERE id=".(int)$id);

足以防止sql注入吗?在这种情况下，$ id始终是整数.

is sufficient to prevent sql injection? In this case $id is always an integer.

我还想知道，如果变量是字符串，那么防止这种语句注入的好方法是什么.

I also wonder what would be a good way to prevent an injection in this kind of statement if the variable was a string.

推荐答案

是.强制转换为int可以防止所有讨厌的SQL注入.

Yes. Casting to int prevents all the nasty SQL injection possibilities.

如果变量是字符串，则应使用准备的语句通过它.

If the variable were a string, you should use prepared statements to pass it.

$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql);
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();

这篇关于此查询注入证明吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！