About PDO anti-SQL injection, php is still a newbie
Recently, I started to switch to pdo
Consult Yi
I used to know how to use mysql_real_escape_string
However, I recently learned that pdo cannot use mysql_real_escape_string.
This function seems to be available only after mysql_connect () is connected.
We also know that we should use the bindParam method in combination with preprocessing.
$ Stmt = $ dbh-> prepare ("insert into user (firstname, surname) VALUES (: f-name,: s-name )");
$ Stmt-> bindParam (': f-name', 'John ');
$ Stmt-> bindParam (': s-name', 'Smith ');
$ Stmt-> execute ();
Would you like to ask if bindParam is safe enough?
Or is it better to use bindValue?
Consult II
What is the problem compared with mysql_real_escape_string?
Mysql_real_escape_string after processing... when writing data to the database
Tom's Book is displayed in PHP and processed as Tom \'s Book
But in the database, only the Tom's Book is saved.
This is very convenient to display at the front-end, because after all, it is purely SELECT, and there should be no security issues?
But the problem arises.
Since bindParam is automatically escaped and even saved to the database, I don't know where to use the stripslashes () function in the foreground.
Is difficulty added everywhere?
There are only three possibilities for this question, right?
1. What other anti-SQL injection methods does PDO have ?? Do I have to save?
2. some configuration files may be added... add stripslashes () to the whole site ()? Seems not feasible?
3. honestly, apart from date or Category ID, add them one by one?
I would also like to ask
$ Stmt = $ dbh-> prepare ("insert into user (firstname, surname) VALUES (: f-name,: s-name )");
$ Stmt-> bindParam (': f-name', 'John ');
$ Stmt-> bindParam (': s-name', 'Smith ');
$ Stmt-> execute ();
Besides "? "Is this method reasonable?
Also, the official team suggested that we use PDO to upgrade to 5.3.6? So what should I pay special attention to when I directly upgrade to 5.4?
Reply to discussion (solution)
I am a newbie, but I still don't know the existence of the PDO: quote method.
The use of PDO needs to be upgraded to 5.3.6 because PDO is of practical value until 5.3.6. All previous versions have various serious problems.
Prepare preparation
BindParam binding parameters
This is prepared for multiple use of an SQL statement (with different parameters only), without the need to assemble the query string every round.
Php uses magic_quotes_gpc to determine whether to escape external data.
Php 5.3.6 and later disabled by default
Php5.4.0 and later ignore its existence
That is to say, the security problem is your own problem. php is not going to complete it for you.
Used
Prepare
BindParam
Not enough?
Use PDO: quote?
I 'd like to ask
Isn't prepare replaced by quote?
Cannot pre-process or batch insert?
After preprocessing, using execute and directly using query is two channels.
Quote is an escape. the pre-processed execute is automatically and implicitly executed.
You must execute the query explicitly.
After preprocessing, using execute and directly using query is two channels.
Quote is an escape. the pre-processed execute is automatically and implicitly executed.
You must execute the query explicitly.
OK ??
But ....
$ SQL = "INSERT INTO foo (id, name) VALUES ('',: name )";
$ Stmt = $ pdo-> prepare ($ SQL );
$ Stmt-> bindParam (': name', $ name );
$ Name = $ pdo-> quote ($ _ POST ["name"]);
$ Stmt-> execute ();
For example, enter peter's book.
But why is it stored as 'Peter's Book'
Is this normal?
What is the output?
