Does using TB framework development also prevent SQL injection? How do I prevent SQL injection? Ask the Great God for answers
Reply content:
Does using TB framework development also prevent SQL injection? How do I prevent SQL injection? Ask the Great God for answers
A simple:
Using PDO to manipulate the database, the SQL statement to execute is replaced with a placeholder or a placeholder instead of a straight-stitched string, followed by a bindparam to bind the parameter and specify the type of the parameter.
A simple example
$pdo = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);//先新建一个PDO$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);//开启PDO的报错$sql = 'SELECT * FROM article WHERE id > ? ;';//使用?占位符try{ $stmt = $pdo->prepare(sql);//返回的statment的值赋给$stmt $stmt -> bindParam(要绑定的占位符的位置, 要绑定的变量 [, 数据类型]);//bindParam()是$stmt的方法而不是$pdo的方法 $stmt -> execute();//执行sql语句} catch (PDOException $e) { echo 'Execute SQL failed: ' . $e->getMessage(); exit(); }
parameterized queries using MYSQLI or PDO
No matter you are the framework or what PDO and injected no half-penny relationship, there are many people are wrong to understand that PDO can prevent injection, want to try through the placeholder and pre-processing to prevent, these actually can not play 100% effect, write the global filter, filter out the SQL keyword is more secure practice