We use the traditional mysql_connect, mysql_query method to connect query database, if the filter is not strict, there is the risk of SQL injection, resulting in the site is attacked, out of control. Although you can use the mysql_real_escape_string () function to filter user-submitted values, there are also flaws. The SQL injection risk can be avoided by using PHP's PDO extension's prepare method.
When using PDO to access the MySQL database, real real prepared statements is not used by default. To solve this problem, you must disable the emulation effect of prepared statements. Here's an example of creating a link using PDO:
New PDO (' Mysql:dbname=dbtest;host=127.0.0.1;charset=utf8 ', ' user ', ' Pass '); false);
SetAttribute () This line is mandatory, it tells PDO to disable the impersonation preprocessing statement, and uses the real parepared statements. This ensures that SQL statements and corresponding values are not parsed by PHP until they are passed to the MySQL server (all possible malicious SQL injection attacks are prohibited).
Although you can set the properties of the character set in the config file (Charset=utf8), it is important to note that older versions of PHP (< 5.3.6) Ignore character parameters in DSN.
Let's take a look at a complete code usage example:
$DBH =New PDO ("Mysql:host=localhost; Dbname=demo "," User "," pass ");$DBH->setattribute (Pdo::attr_emulate_prepares,FALSE);//Disable prepared Statements simulation effect$dbhEXEC ("Set names ' UTF8 '");$sql = "SELECT * from test where name =? and password =? "; $stmt = $DBH->prepare ( $sql ); $exeres = $stmt->execute ( array ( $testname, $ Passif ( $exeres while ( $row = $stmt->fetch (pdo::FETCH_ASSOC) {print_r ( $row $DBH = null;
The above code will prevent SQL injection. Why is it?
When prepare () is called, the query statement has been sent to the database server, where there are only placeholders? Send in the past, no user-submitted data, when called to execute (), the user submitted the value will be sent to the database, they are separate transmission, the two independent, SQL attackers have little chance .
But here are a few things to keep in mind that PDO doesn't help you prevent SQL injection
1. You can't make a placeholder? Instead of a set of values, such as:
1 |
SELECT * FROM blog WHERE userid IN ( ? ); |
2. You cannot have placeholders in place of data table or column names, such as:
SELECT * FROM blog ORDER by?;
3. You can't make a placeholder? Instead of any other SQL syntax, such as:
as variable_datetime_element from blog;
Complete.
How PDO prevents SQL injection