我们应该始终在MySQL和php中使用准备好的语句还是何时使用这些语句?
[英]Should we always use prepared statements in MySQL and php or when to use these?
问题描述
I read so many articles saying that using prepared statements is very secure and good to prevent SQL injections. 
我读了很多文章,说使用准备好的语句非常安全并且可以防止SQL注入。 I built a few websites without using prepared statements. 我没有使用准备好的语句就建立了一些网站。 But after read all those articles, I am thinking to change whole codes using prepared statements. 但是在阅读了所有这些文章之后,我正在考虑使用准备好的语句来更改整个代码。
My Question 我的问题
Is it necessary to use prepared statements always? 是否总是需要使用准备好的语句? or is there any scenario whereby normal statement will be sufficient over prepared statements? 还是在正常陈述比准备陈述足够的情况下?
2 个解决方案
解决方案1
4 已采纳 2018-06-25 03:01:28
Non-prepared statements are sufficient if you have an SQL query that is entirely hard-coded, and needs no PHP variables in the SQL. 如果您具有完全硬编码的SQL查询,并且该SQL中不需要PHP变量,则无需准备的语句就足够了。
Here's an example: 这是一个例子:
$result = $mysqli->query("SELECT * FROM mytable WHERE updated_at > NOW() - INTERVAL 7 DAY");
The query is self-contained. 该查询是独立的。 It's just a fixed string, entirely under control of your application. 它只是一个固定的字符串,完全在您的应用程序的控制之下。 There's no way any untrusted content can affect the query. 任何不受信任的内容都不会影响查询。
If your query needs some variable part, then use query parameters, like this: 如果查询需要一些可变部分,则使用查询参数,如下所示:
$stmt = $mysqli->prepare("SELECT * FROM mytable WHERE updated_at > NOW() - INTERVAL ? DAY");
$stmt->bind_param("i", $number_of_days);
$stmt->execute();
The point of query parameters is to separate potentially untrusted content from the SQL parsing step. 查询参数的重点是将可能不受信任的内容与SQL解析步骤分开。 By using parameters, the value of the bound variable is not combined with the query until after the SQL has been parsed. 通过使用参数,直到解析完SQL之后,绑定变量的值才与查询结合。 Therefore there is no way the bound parameter can affect the logic of the query — the parameter will be limited to act as a single scalar value in the query. 因此,绑定参数不可能影响查询的逻辑-该参数将被限制为在查询中充当单个标量值。
解决方案2
0 2018-06-25 03:46:14
Just found out your question and I remembered my good old days. 刚发现您的问题,我就想起了过去的美好时光。 I too found it difficult to implement prepared statements because at the first sight, it feels to easy to code without it. 我也发现很难执行准备好的语句,因为乍一看,没有它就容易编写代码。 Then at another time, I made a login system using PHP for which I was proud. 然后在另一个时候,我为使用PHP制作的登录系统感到骄傲。 It felt great though making it completely from scratch. 尽管完全从零开始,但感觉很棒。 But, I had made a mistake of not using them and then I checked google for how one can bypass login system. 但是,我犯了一个错误,就是不使用它们,然后我检查了google如何绕过登录系统。 The first trick gave me headache as I could now log into my webpage without knowing the Username or Password and just using some characters like '-' and boom I was into my webpage. 第一个窍门让我头疼,因为我现在不知道用户名或密码就可以登录我的网页,而只是使用一些字符(例如'-'和繁荣)来进入网页。 So i went the whole way back and secured it with parameterized queries and now It's secure. 所以我一路走来,并通过参数化查询保护了它,现在它很安全。 Since, you and me both are beginners, these things will surely give us headache. 既然您和我都是初学者,那么这些事情肯定会让我们头痛。 Also, you are required to use them only when you are accepting something from user input. 另外,仅当您接受用户输入的内容时才需要使用它们。 Else you are good to go. 否则你很好。 Just look around for other vulnerabilities like XSS etc. These too are dangerous. 只是四处寻找其他漏洞,例如XSS等。这些也是危险的。 Good luck 祝好运
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.