[英]PHP MySQLi prepared statement for SELECT (avoid SQL Injection)
这是避免在此SELECT中进行SQL注入的正确方法吗?
// --[ Method ]---------------------------------------------------------------
//
// - Purpose : Check if provided $email (taken from user input) exists in the DB
//
// -----------------------------------------------------------------------------
function DB_EmailExists($email)
{
//
if(DB_Connect() == false)
{
echo mysqli_error();
return false;
}
//
$stmt = $GLOBALS['global_db_link']->prepare("SELECT * FROM ".$GLOBALS['global_db_table_users']." WHERE Email=?");
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
$numrows = $stmt->num_rows;
$stmt->close();
//
if ($numrows==0)
{
DB_Disconnect();
return false;
}
//
DB_Disconnect();
return true;
}
是的,那行得通。 但无需SELECT *
,只需使用SELECT email
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.