Preprocessing (one way to prevent SQL injection)

<!---pre-processing (precompilation)--->

<?php
/*
There are two ways to prevent SQL injection:
1. Artificially improve the logic of the code, so that it becomes more rigorous, watertight. For example, increase the judgment conditions, increase input filtering, etc., but the wise thousand worry must have a loss. (Not recommended)
2. Preprocessing of SQL statements
*/

Preprocessing: This is done before the program is formally compiled, because some feature implementations are the same, but some simple value substitution occurs

/*
Principle of pretreatment: *********

INSERT into Register_info values (?,?,?,?);

01. Create the SQL statement template and send it to the database. Reserved values use parameters? Mark
02. Database to template parsing, compiling, executing query optimization on SQL statement template, and storing result not output
03. Pass the binding parameters to the previous? tag where the template executes the statement. If the arguments are different, the template can be used multiple times. But parsing the template only needs to be done once.


Advantages of preprocessing ***********

01. Pre-processing statements greatly reduce the analysis time, only one time to delete and change (as far as the value is given, the database is not required to operate)
02. Binding parameters Reduce server bandwidth, you only need to send queries or add parameters instead of the entire SQL statement
03. Pre-processing statements can be very good to prevent SQL injection, because the sending of parameters will not affect the initial parsing of templates, compilation, template is their own definition, there will be no loopholes

*/



Object oriented

1. Connect to database server, select Database Register
$mysqli = new mysqli (' localhost ', ' root ', ' ', ' register ');

if ($mysqli) {
Echo ' 
2. Set character sets
$mysqli->set_charset (' UTF8 ');

3. Preprocessing core code (this part of the code database executes only once)
A. Writing the SQL statement template (Register_info is an existing table)
$sql = "INSERT into Register_info (Id,username,password,email,tel) VALUES (?,?,?,?,?)";

B. Prepare () method, preprocessing phase
$stmt = $mysqli->prepare ($sql);


/*-------------The following code is executed repeatedly, and is handled by the $stmt object--------------*/
A. Binding parameter Bind_param ()
To the reservation? Assignment, required type and order to be and? The expression of the same
/*
Format placeholders, List of formats:
I---> int integral type
s---> String string
D---> Double dual precision floating point type
b---> Blob (Binary large object) binary large object
*/

$id = 2;
$username = ' King II ';
$password = ' 1237890 ';
$email = ' [email protected] ';
$tel = ' 12345678987 ';

$stmt->bind_param (' issss ', $id, $username, $password, $email, $tel);

B. Start inserting
if ($stmt->execute ()) {
Echo ' }else{
Echo ' }

4. Turn off preprocessing
$stmt->close ();
    
5. Close the database
$mysqli->close ();



}else{
Die (' Connect database failed! ‘);
}

Preprocessing (one way to prevent SQL injection)