In this paper, we introduce the simple implementation of PHP to prevent SQL injection method, combined with examples of PHP to prevent SQL injection of common operational skills and considerations, code with detailed comments to understand, the need for friends can refer to, hope to help everyone.
Method One: Execute surrogate parameters
<?phpif (COUNT ($_post)! = 0) {$host = ' aaa '; $database = ' BBB '; $username = ' CCC '; $password = ' * * * '; $num = 0; $pdo = new PDO ("mysql:host= $host;d bname= $database", $username, $password);//Create a PDO object foreach ($_post as $var _key = $ Var_value) {//Get post array maximum $num = $num + 1; }//The array labeled I stores the item ID, and the storage of the subscript J array is the inventory for ($i =0; $i < $num; $i = $i +2) {//inventory subscript $j = $i +1; Determine the legitimacy of the passed data if (Is_numeric (Trim ($_post[$i)) && is_numeric (Trim ($_post[$j))) {//Disable prepared statements True effect $pdo->setattribute (Pdo::attr_emulate_prepares, false); Querying the database for an item with that ID//when calling prepare (), the query statement has been sent to the database server, at which point only placeholders are available? Send past, no user submitted data $stmt = $pdo->prepare ("Select good_id from delphi_test_content WHERE good_id =?"); When called to execute (), the values submitted by the user are sent to the database, they are separated, and the SQL attackers do not have a chance. $stmt->execute (Array ($_post[$i)); Returns the query result $count = $stmt->rowcount (); If the item ID and inventory record exist on the local database, update the item's inventory if ($count! = 0) {$stMt = $pdo->prepare ("update delphi_test_content set content =?") WHERE good_id =? "); $stmt->execute (Array ($_post[$j], $_post[$i])); }//If the local database does not have the item ID and inventory record, add the record if ($count = = 0) {$stmt = $pdo->prepare ("INSERT INTO Delphi_test_ Content (Good_id,content) VALUES (?,?) "); $stmt->execute (Array ($_post[$i], $_post[$j])); }}} $pdo = null; Close Connection}?>
method Two: Bindparam binding parameters
<?phpif (COUNT ($_post)! = 0) {$host = ' aaa '; $database = ' BBB '; $username = ' CCC '; $password = ' * * * '; $num = 0; $pdo = new PDO ("mysql:host= $host;d bname= $database", $username, $password);//Create a PDO object foreach ($_post as $var _key = $ Var_value) {//Get post array maximum $num = $num + 1; }//The array labeled I stores the item ID, and the storage of the subscript J array is the inventory for ($i =0; $i < $num; $i = $i +2) {//inventory subscript $j = $i +1; Determine the legitimacy of the data passed (this data is the product number and inventory, strictly speaking the string is all composed of numbers) if (Is_numeric ($_post[$i)) && is_numeric (Trim ($_post[$j ])) {//Query the database for the presence of the ID of the commodity $stmt = $pdo->prepare ("Select good_id from delphi_test_content WHERE good_id =?"); $stmt->execute (Array ($_post[$i)); $stmt->bindparam (1,$_post[$i]); $stmt->execute (); Returns the query result $count = $stmt->rowcount (); If the item ID and inventory record exist on the local database, update the inventory if ($count! = 0) {$stmt = $pdo->prepare ("Update delphi_test_content SE T content =? WHERE good_id =? "); $stmt->execute (Array ($_post[$j], $_post[$i])); $stmt->bindparam (1,$_post[$j]); $stmt->bindparam (2,$_post[$i]); $stmt->execute (); }//If the local database does not have the item ID and inventory record, add the record if ($count = = 0) {$stmt = $pdo->prepare ("INSERT INTO Delphi_test_ Content (Good_id,content) VALUES (?,?) "); $stmt->bindparam (1,$_post[$i]); $stmt->bindparam (2,$_post[$j]); $stmt->execute (); }}} $pdo = null; Close Connection}?>