[英]Bind variables in PHP-MySQL
I am using below code to execute MySQL
query in PHP
. 我正在使用以下代码在
PHP
执行MySQL
查询。
$cus_id = '1';
$query = new QUERY();
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status='ACTIVE'";
$params = array('cus_id'=>$cus_id);
$result = $query->run($clause, $params)->fetchAll();
Now the question is: is it secure enough. 现在的问题是:它是否足够安全。 Or do I need to bind the static String as well?
还是我也需要绑定静态String? Something like:
就像是:
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status=:status";
$params = array('cus_id'=>$cus_id, 'status'=>'ACTIVE');
It's secure because ACTIVE
isn't user input. 这是安全的,因为
ACTIVE
不是用户输入。 So you don't need to bind it. 因此,您不需要绑定它。
It's fine the way you have it. 拥有它的方式很好。 The value for
status
isn't being dynamically assembled and doesn't create any vulnerabilities. status
的值不是动态组合的,不会创建任何漏洞。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.