stackoom
  简体   繁体   中英

PHP bind_param using variables or POST?

 原文  2014-02-07 00:55:18       php/ mysqli/ prepared-statement

Question

When using bind_param with a mysqli prepared statement, I am unsure whether to use $_POST or variables. If the bind_param values come from a form submitted through a website, is it unsafe to put the $_POST values straight into the bind_param ? 

$newBlog->bind_param('ss',$_POST['newBlogTitle'],$_POST['newBlogContent']);

or 

$newBlogTitle = $_POST['newBlogTitle'];
$newBlogTitle = $_POST['newBlogContent'];
$newBlog->bind_param('ss',$newBlogTitle,$newBlogContent);

Or does it not matter?

2 answers

solution1
 1 ACCPTED  2014-02-07 00:57:20

s it unsafe to put the $_POST values straight into the bind_param?

String concatenation is key to SQL injection. However, because you are using parameterized queries the data will be automatically escaped and injection risk will be eliminated. It is irrelevant whether or not you assign the $_POST variable to a different variable.

solution2
 0  2014-02-07 00:59:15

It doesn't matter. The values of the variables are the same, since you're just assigning one to the other.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Trouble using prepare and bind_param in php bind_param(): variables != parameters Issues with variables in bind_param() mysqli::bind_param(); variables Only variables should be passed by reference bind_param (PHP) php bind_param is not working PHP bind_param with arrays PHP bind_param error php bind_param for limit PHP issue with bind_param();
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM