Can the following code effectively prevent SQL injection? In general, how does the code below {code...} effectively prevent SQL injection?
How do you do this.
SetAttribute (PDO: ATTR_EMULATE_PREPARES, false); // disable the simulation of prepared statements $ dbh-> exec ("set names 'utf8 '"); $ SQL = "select * from table where username =? And password =? "; $ Query = $ dbh-> prepare ($ SQL); $ exeres = $ query-> execute (array ($ username, $ pass); if ($ exeres) {while ($ row = $ query-> fetch (PDO: FETCH_ASSOC) {print_r ($ row) ;}}$ dbh = null;?>
Reply content:
Can the following code effectively prevent SQL injection?
How do you do this.
SetAttribute (PDO: ATTR_EMULATE_PREPARES, false); // disable the simulation of prepared statements $ dbh-> exec ("set names 'utf8 '"); $ SQL = "select * from table where username =? And password =? "; $ Query = $ dbh-> prepare ($ SQL); $ exeres = $ query-> execute (array ($ username, $ pass); if ($ exeres) {while ($ row = $ query-> fetch (PDO: FETCH_ASSOC) {print_r ($ row) ;}}$ dbh = null;?>
We recommend that you write this statement to prevent injection attacks more effectively.
......$sql="select * from table where username = ?";...... while ($row = $query->fetch(PDO::FETCH_ASSOC) && $row['pass'] == $pass) { print_r($row); }
Your code can completely prevent SQL injection, because PDO is SQL preprocessing.