PHP MySQLi为SELECT准备了语句(避免SQL注入)
[英]PHP MySQLi prepared statement for SELECT (avoid SQL Injection)
问题描述
is this the correct way to avoid SQL Injection in this SELECT? 
这是避免在此SELECT中进行SQL注入的正确方法吗?
// --[ Method ]---------------------------------------------------------------
//
// - Purpose : Check if provided $email (taken from user input) exists in the DB
//
// -----------------------------------------------------------------------------
function DB_EmailExists($email)
{
//
if(DB_Connect() == false)
{
echo mysqli_error();
return false;
}
//
$stmt = $GLOBALS['global_db_link']->prepare("SELECT * FROM ".$GLOBALS['global_db_table_users']." WHERE Email=?");
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
$numrows = $stmt->num_rows;
$stmt->close();
//
if ($numrows==0)
{
DB_Disconnect();
return false;
}
//
DB_Disconnect();
return true;
}
1 个解决方案
解决方案1
1 已采纳 2015-11-28 21:41:10
Yes, that works. 是的,那行得通。 But no need to SELECT * , just use SELECT email 但无需SELECT * ,只需使用SELECT email
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
PHP:Mysqli用“ select *”准备的语句 - PHP: Mysqli prepared statement with “select *”
Mysqli准备声明(SQL注入预防) - Mysqli prepared statement (SQL injection prevention)
如何避免每次在php中使用mysqli准备的语句 - how to avoid mysqli prepared statement everytime in php
为什么这个MySQLI预处理语句允许SQL注入? - Why does this MySQLI prepared statement allow SQL injection?
PHP 和 mysqli 准备语句 - PHP and mysqli prepared statement
MySQL准备的语句PHP - Mysqli prepared statement php
php mysqli准备的语句 - php mysqli prepared statement
如何使用 PHP 和 PDO 以及准备好的语句创建安全(避免 SQL 注入)分页? - How to create safe (avoid SQL injection) pagination using PHP and PDO and prepared statement?
准备语句在“SELECT”命令中失败,在PHP中使用mysqli - prepared statement failing for “SELECT” command, using mysqli in PHP
准备好的语句未运行MYSQLI PHP - Prepared statement not running MYSQLI PHP
相关标签