These days too busy, continue to serial haha, fight for half a month to end.
As mentioned above, the unsafe input filtering feature comes from the database, but this function is not available in all databases. There is probably only mysql,sqlite,postgresql,sybase with this feature, and many databases, including Oracle and SQL Server, do not.
In view of this situation, general developers use a common approach to avoid unsafe data written to the database--base64 encoding. This avoids the danger of all the special characters that might cause problems. However, the BASE64 encoded data capacity will probably increase by 33%, compared to occupy space. In PostgreSQL, the problem with using BASE64 to encode data is that you cannot use a ' like ' query.
So summing up so much, we know that it is not possible to rely on the database itself for string masking. We need a solution to filter out dangerous characters before special characters affect our query statement. predefined queries (Prepared queries/prepared statements) are a great way to do this. What is a pre-defined query? It is equivalent to a template for a query statement, which defines the structure of the query statement and the data type of some parts. If we submit an SQL statement that conforms to the definition of this template, it executes, otherwise it does not execute and report an error.
For example:
Pg_query ($conn, "PREPARE stmt_name (text) as SELECT * from users WHERE name=$1");
Pg_query ($conn, "EXECUTE stmt_name ({$name})");
Pg_query ($conn, "deallocate stmt_name");
PREPARE stmt_name (text) as. Defines the format of a query, where all characters except $ A are placeholders and are not allowed to change. Oh, I think this method is really a good way. But unfortunately not all databases are supported.
http://www.bkjia.com/PHPjc/318370.html www.bkjia.com true http://www.bkjia.com/PHPjc/318370.html techarticle these days too busy, continue to serial haha, fight for half a month to end. As mentioned above, the unsafe input filtering feature comes from the database, but this function is not available in all databases. At present the big ...