我应该使用bindValue（）还是execute（array（））来避免SQL注入？ [英] Should I use bindValue() or execute(array()) to avoid SQL injection?

问题描述

为了防止SQL注入，我使用PDO。我已经看到人们使用两种方法ie：bindValue（）和then（）或只是执行（array（））

As a prevention against SQL injections, I'm using PDO. I have seen people using both the methods ie: bindValue() and then execute() or just execute(array())

这两种方法是否会阻止攻击？因为mysql_real_escape_string（）已被弃用有什么其他我应该考虑使用这里？

Do both the methods prevent the attack? Since mysql_real_escape_string() is deprecated is there anything else I should consider using here?

像$ aenrollmentno应该类型转换为

Like for $aenrollmentno should I typecast into

$ aenrollmentno = （$ _POST ['aenrollmentno']）;

如果我不在准备语句中使用它，我缺少的任何其他安全措施？

Will this be safe enough if I'm not using it in a prepared statement? Any other security measure that I'm missing?

   <?php  


     if(isset($_POST['aenrollmentno']))
     {
    $aenrollmentno = mysql_real_escape_string($_POST['aenrollmentno']); 
     }



 if(isset($_POST['afirstname']))
        {
            $afirst_name  = mysql_real_escape_string($_POST['afirstname']);
            $afirstname = ucfirst(strtolower($afirst_name));

    }




    //PDO connection     
    try {


        $conn = new PDO('mysql:host=localhost;dbname=practice','root','');
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

        $stmt = $conn->prepare('INSERT INTO  modaltable(afirstname, alastname,aenrollmentno) VALUES (:afirstname,:alastname,:aenrollmentno)');

        $stmt->execute(array(

        'afirstname' => $afirstname,
        'alastname' => $alastname,
        'aenrollmentno' => $aenrollmentno,

        ));



    echo "Success!";


    }
    catch (PDOException $e) {
        echo 'ERROR: '. $e->getMessage();
    }


    ?>

推荐答案

execute（array）在每个数组元素上调用bindValue。使用任何适合您的程序流最好。两者都阻止SQL注入。

execute(array) is just a shortcut for a loop that calls bindValue on each of the array elements. Use whatever suits your program flow best. Both prevent SQL injection.

经验法则：无论你传递给哪个准备，都不应以任何方式依赖于用户输入。你可以传递任何你想要执行（） - 你可能会得到运行时错误，例如。如果您尝试将非数字字符串放入数字列 - 但您不允许SQL注入。

Rule of thumb: Whatever you pass to prepare should NOT, in any way, depend on user input. You can pass anything you want to execute() - you might get runtime errors, e.g. if you try to put a non-numeric string into a number column - but you won't allow SQL injections.

这篇关于我应该使用bindValue（）还是execute（array（））来避免SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！