PDO准备的声明 [英] PDO prepared statements

问题描述

我知道应该使用PDO准备好的语句来避免SQL注入.必须始终具有以下格式:

I know that PDO prepared statements should be used to avoid SQL injection. Must it always have this format:

$stmt = $db->prepare('SELECT * FROM table where id = :id');
$stmt->execute( array(':id' => $_GET['id']) );

还是以下任何一种格式也会否定SQL注入?

or will any of the following formats negate SQL injection too?

版本1

$queryString = "SELECT * FROM table WHERE id = ".$_GET['id'];
$stmt= $db->prepare($queryString);  
$stmt->execute();
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);

版本2

$stmt = $db->query("SELECT * FROM table WHERE id = ".$_GET['id']);
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);

推荐答案

您必须像在第一个代码中那样绑定变量. Version 1和Version 2代码均为不安全.

You have to bind your variables like you do in your first code. The Version 1 and Version 2 codes are both INSECURE.

这篇关于PDO准备的声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！