Php SQL injection prevention measures.

Php SQL injection prevention measures. Recently, I am still a little upset when using the framework. I don't know if the framework designer has taken into account the SQL-Injection issue. I don't need to perform necessary filtering on the top layer, as a result, I went to StackOverflow and saw it, which really benefited a lot. then I went to the internal methods of the DB database in the framework, and then I felt at ease. I will share some solutions for PHP programmers at home and abroad to handle SQL-Injection.

It is widely recommended in foreign countries. as long as you are using queries, you should achieve two points: 1.Prepared statements(Prepared statement) 2.Parameterized queries(Parameterized query request).

I didn't understand what it meant at the beginning, and I will probably see them as an example later. For a safer SQL statement, you must first prepare the queried variables. For example:

$name = $_POST['name'];$sql = 'select * from user where name'.$name;

It is best to process $ name first,

$name = mysql_real_escape_string($_POST['name']);

Then, let the requested variables become parameters, rather than the SQL language itself.

$sql = 'select * from user where name=\''.$name.'\'';

Of course, this writing method is still rough.

Therefore, the PDO or MYSQLI prepare () excute () method is generally recommended.

$stmt = $pdo->prepare('SELECT * FROM user WHERE name = :name');$stmt->execute(array('name' => $name));

About PDO: prepare ()

The advantage of this is that you no longer need to worry about inserting some SQL statements into the query request, because these statements will be treated as request variables (a string or number ), it is no longer mistaken for the SQL language itself. This greatly reduces the chance of SQL injection.