PDO准备的声明 [英] PDO prepared statements
本文介绍了PDO准备的声明的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我知道应该使用PDO准备好的语句来避免SQL注入.必须始终具有以下格式:
I know that PDO prepared statements should be used to avoid SQL injection. Must it always have this format:
$stmt = $db->prepare('SELECT * FROM table where id = :id');
$stmt->execute( array(':id' => $_GET['id']) );
还是以下任何一种格式也会否定SQL注入?
or will any of the following formats negate SQL injection too?
版本1
$queryString = "SELECT * FROM table WHERE id = ".$_GET['id'];
$stmt= $db->prepare($queryString);
$stmt->execute();
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);
版本2
$stmt = $db->query("SELECT * FROM table WHERE id = ".$_GET['id']);
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);
推荐答案
您必须像在第一个代码中那样绑定变量. Version 1
和Version 2
代码均为不安全.
You have to bind your variables like you do in your first code. The Version 1
and Version 2
codes are both INSECURE.
这篇关于PDO准备的声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文