如何在php中清理数据以避免SQL注入?
[英]How to sanitize data in php in order to avoid SQL injection?
问题描述
I already used the PDO: 
我已经使用了PDO:
$stmt = $aPDO->prepare("INSERT INTO ".$this->getM_oUser()->getM_sTableName()." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
$stmt->bindValue(':email', $this->getM_oUser()->getM_sEmail());
$stmt->bindValue(':hash_pw', $this->getM_oUser()->getM_sHash_pw());
$stmt->bindValue(':hash_key', $this->getM_oUser()->getM_sHash_Key());
$stmt->execute();
Should I also use mysql_real_escape_string() to handle the user input string? 我是否还应该使用mysql_real_escape_string()处理用户输入的字符串? Thank you. 谢谢。
2 个解决方案
解决方案1
1 2011-08-01 08:44:59
Using prepared statements with bound parameters is enough. 使用带有绑定参数的预备语句就足够了。 You don't need to use mysql_real_escape_string (and you probably could not even if you wanted -- you 'd need a MySql connection resource in hand to do it). 您不需要使用mysql_real_escape_string (即使您愿意也可能无法使用-您需要手头的MySql连接资源)。
解决方案2
0 2011-08-01 09:36:33
I'd do something like that to exclude a lot of useless characters from your table name: 我会做类似的事情来从表名中排除很多无用的字符:
$tableName = '`' . preg_replace('`[^-a-zA-Z0-9_]`', $this->getM_oUser()->getM_sTableName()).'`';
$stmt = $aPDO->prepare("INSERT INTO ".$tableName." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.