Is development using the tb framework still used to prevent SQL injection? How to prevent SQL injection? Is it possible to prevent SQL injection for tb Framework development? How to prevent SQL injection? How can this problem be solved?
Reply content:
Is development using the tb framework still used to prevent SQL injection? How to prevent SQL injection? How can this problem be solved?
A simple:
To use PDO to operate databases, use placeholder or? in the SQL statement to be executed? Placeholders instead of directly concatenate strings, bindParam is used to bind parameters and specify the parameter type.
A simple example
$ Pdo = new PDO ("mysql: host = $ servername; dbname = myDB", $ username, $ password); // create a new PDO $ pdo-> setAttribute (PDO:: ATTR_ERRMODE, PDO: ERRMODE_EXCEPTION); // the error code $ SQL = 'select * FROM article WHERE id>? ; '; // Use? Placeholder try {$ stmt = $ pdo-> prepare (SQL); // The Returned statment value is assigned to $ stmt-> bindParam (location of the placeholder to be bound, variable [, data type]) to be bound; // bindParam () is the $ stmt method instead of the $ pdo method $ stmt-> execute (); // Execute SQL statement} catch (PDOException $ e) {echo 'execute SQL failed :'. $ e-> getMessage (); exit ();}
Parameterized query using mysqli or pdo
No matter whether you are in the framework or what PDO is related to injection, many people mistakenly understand that PDO can prevent injection and try to prevent it by using percentages and preprocessing, in fact, none of these can play a 100% effect. it is safer to write global filtering and filter out SQL keywords.