Why does Mysql preprocessing prevent SQL injection ??? For example: PHPcode $ linknewMysqli (localhost, root, 111111, test); $ link-& gt; set_charset (utf8); $ sqlSELECT * FROMtestWHEREid? AND ask, why does Mysql preprocessing prevent SQL injection ???
For example:
PHP code
$link = new Mysqli('localhost', 'root', '111111', 'test'); $link -> set_charset('utf8'); $sql = 'SELECT * FROM test WHERE id=? AND name=?'; $stmt = $link -> prepare($sql); $stmt -> bind_param('is', $id, $name); $stmt -> execute();
In the above example, my understanding is:
Before Mysql is executed, the SQL statement "?" is fixed. Type value.
Therefore, if the "?" The string value is also converted to an integer, which prevents SQL injection.
However, "?" at name, The original pass should be a string. how can I prevent SQL injection if I pass it an SQL injection statement?
I don't know if my understanding is correct. please kindly advise! Thank you !!
------ Solution --------------------
Addslashes ()
------ Solution --------------------
The implementation process of prepare preprocessing is actually an internal escape process. you cannot see the escape characters, just as you have encapsulated an escape method, if the process is executed directly without preprocessing, the process is not escaped, so the risk coefficient is increased.
------ Solution --------------------
Discussion
Reference:
The implementation process of prepare preprocessing is actually an internal escape process. you cannot see the escape characters, just as you have encapsulated an escape method, if the process is executed directly without preprocessing, the process is not escaped, so the risk coefficient is increased.
Is it like using addslashes () or mysql_escape_string () upstairs?
------ Solution --------------------
Ask php.net questions that you don't understand. you can't find them to ask the forum again.
The conclusion is that you do not need to use addslashes. what is in your SQL statement? You do not need to use the ''surrounded, prepare fully automated 'addlashes ()'.
------ Solution --------------------
$ V = (is_int ($ v )? $ V: "'". pg_escape_string ($ v )."'");
Is LZ the same as what I use? Placeholder mode.
? Replace them with values one by one before Query. in this case, the integer is is_int, and the string is pg_escape_string ()
Pg_escape_string (): escape text/char data type string, return the escaped string. We recommend that you use this function instead of addslashes (). (I use pgsql database) for escape.
$ Real_ SQL. = preg_replace ('/\? /', $ V, $ SQL _arr [$ key], 1); is this? .
------ Solution --------------------
Mysql_escape_string uses this parameter to accept the user or write a user-sent value to prevent SQL injection.