PDO pre-processing statement avoids SQL injection attacks, and pdo pre-processing avoids SQL
The so-called SQL injection attack means that an attacker inserts an SQL command into the input field of a Web form or the query string requested by the page, and deceives the server to execute malicious SQL commands. In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks.
Method 1
<? Php $ dsn = "mysql: dbname = study; host = localhost"; $ pdo = new PDO ($ dsn, "root", "root "); // write a pre-processing statement $ SQL = "insert into class values (?,?) "; // Throw the pre-processing statement to the server and wait for execution. The PDOStatement object $ stm = $ pdo-> prepare ($ SQL) is returned. // set the variable (parameter) for the second time) bind the parameter $ stm-> bindParam (1, $ Sclass) to the pre-processing statement. $ stm-> bindParam (2, $ linoleic ); $ Sclass = "7"; $ linoleic = "Class 7"; // run $ stm-> execute ();
Abbreviated method 1
<? Php $ dsn = "mysql: dbname = study; host = localhost"; $ pdo = new PDO ($ dsn, "root", "root "); // write a pre-processing statement $ SQL = "insert into class values (?,?) "; // Throw the pre-processing statement to the server and wait for execution. The PDOStatement object $ stm = $ pdo-> prepare ($ SQL) is returned ); // define the Index array $ arr = array ("8", "eight classes"); // execute $ stm-> execute ($ arr );
Method 2
<? Php $ dsn = "mysql: dbname = study; host = localhost"; $ pdo = new PDO ($ dsn, "root", "root "); // pre-processing statement $ SQL = "insert into class VALUES (: Sclass,: linoleic)"; $ stm = $ pdo-> prepare ($ SQL ); // create an array $ arr = array ("Sclass" => "10", "linoleic" => "Class 10 "); // execute $ stm-> execute ($ arr );
For example, the second case is simple, and the second method is recommended.
<Body xmlns = "http://www.w3.org/1999/html">
<? Php $ dsn = "mysql: dbname = study; host = localhost"; $ pdo = new PDO ($ dsn, "root", "root "); // pre-processing statement $ SQL = "insert into class VALUES (: Sclass,: linoleic)"; $ stm = $ pdo-> prepare ($ SQL ); // execute $ stm-> execute ($ _ POST );