mysql真正的转义字符串绝对解决sql注入 [英] mysql real escape string solve sql injection definitely

问题描述

我想知道是否将 mysql_real_escape_string 添加到足以解决sql注入的变量中

I want to know if I add mysql_real_escape_string to my variables that's enough to solve sql injection

$get_id = "select * from `book` where id='".$mysqli->real_escape_string($id)."' limit 1";

推荐答案

不是，不是。使用准备好的语句。

No, it isn't. Use prepared statements.

您将必须执行以下操作：

You would have to do something like this:

// Your connection settings
$connData = ["localhost", "user", "pass", "database"];

$conn = new mysqli($connData[0], $connData[1], $connData[2], $connData[3]);
$conn->set_charset("utf8");

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// Here we explain MySQL which will be the query
$stmt = $conn->prepare("select * from book where id=? limit 1");

// Here we tell PHP which variable hash de "?" value. Also you tell PHP that $id has an integer ("i")
$stmt->bind_param("i", $id);

// Here we bind the columns of the query to PHP variables
$stmt->bind_result($column1, $column2, ...); // <--- Whichever columns you have

// Here we execute the query and store the result
$stmt->execute();
$stmt->store_result();

// Here we store the results of each row in our PHP variables ($column1, column2, ...)
while($stmt->fetch()){
    // Now we can do whatever we want (store in array, echo, etc)
    echo "<p>$column1 - $column2 - ...</p>";
}

$stmt->close();
$conn->close();

这篇关于mysql真正的转义字符串绝对解决sql注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！