When using PDO to access the MySQL database, real real prepared statements is not used by default. To solve this problem, you must disable the emulation effect of prepared statements. Here's an example of creating a link using PDO:
$DBH = new PDO (' Mysql:dbname=dbtest;host=127.0.0.1;charset=utf8 ', ' user ', ' Pass '); $DBH->setattribute (pdo::attr_ Emulate_prepares, false);Let's take a look at a complete code usage example:
$DBH = new PDO ("Mysql:host=localhost; Dbname=dbtest "," User "," pass "), $dbh->setattribute (Pdo::attr_emulate_prepares, false); Disables the emulation effect of the prepared statements $dbh->exec ("Set names ' UTF8 '"); $sql = "SELECT * from test where name =? and password =? "; $stmt = $dbh->prepare ($sql), $exeres = $stmt->execute (Array ($testname, $pass)), if ($exeres) {while ($row = $stmt-&G T;fetch (PDO::FETCH_ASSOC)) { print_r ($row);}} $DBH = null;When prepare () is called, the query statement has been sent to the database server with only placeholders at this time? Send in the past, no user submitted data, when called to execute (), the user submitted values will be sent to the database, they are separate transmission, the two independent, SQL attackers do not have a chance.
But here are a few things to keep in mind that PDO doesn't help you prevent SQL injection
1. You can't make a placeholder? Instead of a set of values, such as:
SELECT * FROM blog WHERE userid in (?);
2. You cannot have placeholders in place of data table or column names, such as:
SELECT * FROM blog ORDER by?;
SELECT EXTRACT (? From Datetime_column) as variable_datetime_element from blog;
The mechanism of PDO to prevent SQL injection
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
