[英]PHP/mySQL prepared statement
Is the below php code vulnerable to SQL injection, or is it sufficiently secure as written? 下面的php代码是否容易受到SQL注入攻击,或者它的编写是否足够安全? Also:
也:
mysql_real_escape_string()
to the values passed by the user (or attempt to neuter them in any other way)...? mysql_real_escape_string()
应用于用户传递的值(或尝试以其他任何方式中和它们)...? php_flag magic_quotes off
...? php_flag magic_quotes off
使用php_flag magic_quotes off
吗? Should I be using php_value magic_quotes_gpc 0
...? 我应该使用
php_value magic_quotes_gpc 0
...吗?
$mysqli = new mysqli($server_name, $db_username, $db_password, $db_name); $sql = "SELECT * FROM tbl_users WHERE username=? AND password=?"; $username = $_POST['username']; $password = $_POST['password']; $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss',$username,$password)) { $stmt->execute();
Because the query is being prepared SQL injection is impossible. 因为正在准备查询,所以不可能进行SQL注入。 But this doesn't mean that prepared statement are 100% safe.
但这并不意味着准备好的声明是100%安全的。 Personally I prefer PDO.
我个人更喜欢PDO。 Just have a look at it.
看看吧。
没有什么是绝对安全的,但是由于您正在使用Mysqli并且已经做好了准备,所以应该没事
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.