PHP is a simple method to prevent SQL injection. php prevents SQL injection.

PHP is a simple method to prevent SQL injection. php prevents SQL injection.

This example describes how to prevent SQL Injection by using PHP. We will share this with you for your reference. The details are as follows:

Method 1: execute Parameters

<? Phpif (count ($ _ POST )! = 0) {$ host = 'aaa'; $ database = 'bbb'; $ username = 'ccc '; $ password =' *** '; $ num = 0; $ pdo = new PDO ("mysql: host = $ host; dbname = $ database", $ username, $ password ); // create a pdo object foreach ($ _ POST as $ var_Key => $ var_Value) {// obtain the maximum value of the POST array $ num = $ num + 1 ;} // The array with the subscript I stores the commodity id, and the array with the subscript j stores the inventory of the commodity for ($ I = 0; $ I <$ num; $ I = $ I + 2) {// inventory subscript $ j = $ I + 1; // determine the validity of the passed data. if (is_numeric (trim ($ _ POST [$ I]) & is_numeric (trim ($ _ POST [$ j]) {// disable the simulation of prepared statements $ pdo-> setAttribute (PDO: ATTR_EMULATE_PREPARES, false ); // query whether the product with this ID exists in the Database // when prepare () is called, the query statement has been sent to the database server, and there is only a placeholder at this time? Sent in the past, no data submitted by the user $ stmt = $ pdo-> prepare ("select good_id from delphi_test_content WHERE good_id =? "); // When execute () is called, the value submitted by the user is sent to the database. They are sent separately. The two are independent, and SQL attackers have no chance. $ Stmt-> execute (array ($ _ POST [$ I]); // returns the query result $ count = $ stmt-> rowCount (); // if the product ID and inventory record exist in the local database, update the inventory of the product if ($ count! = 0) {$ stmt = $ pdo-> prepare ("update delphi_test_content set content =? WHERE good_id =? "); $ Stmt-> execute (array ($ _ POST [$ j], $ _ POST [$ I]);} // if the local database does not have this item ID and inventory record, add this record if ($ count = 0) {$ stmt = $ pdo-> prepare ("insert into delphi_test_content (good_id, content) values (?,?) "); $ Stmt-> execute (array ($ _ POST [$ I], $ _ POST [$ j]) ;}}$ pdo = null; // close the connection}?>

Method 2: bindParam bind Parameters

<? Phpif (count ($ _ POST )! = 0) {$ host = 'aaa'; $ database = 'bbb'; $ username = 'ccc '; $ password =' *** '; $ num = 0; $ pdo = new PDO ("mysql: host = $ host; dbname = $ database", $ username, $ password ); // create a pdo object foreach ($ _ POST as $ var_Key => $ var_Value) {// obtain the maximum value of the POST array $ num = $ num + 1 ;} // The array with the subscript I stores the commodity id, and the array with the subscript j stores the inventory of the commodity for ($ I = 0; $ I <$ num; $ I = $ I + 2) {// inventory subscript $ j = $ I + 1; // determine the validity of the passed data (this data is the product number and inventory, strictly speaking, strings are composed of numbers.) if (is_numeric (trim ($ _ POST [$ I]) & is_numeric (trim ($ _ POST [$ j]) {// query whether the product $ stmt = $ pdo-> prepare ("select good_id from delphi_test_content WHERE good_id =? "); $ Stmt-> execute (array ($ _ POST [$ I]); $ stmt-> bindParam (1, $ _ POST [$ I]); $ stmt-> execute (); // return the query result $ count = $ stmt-> rowCount (); // if the local database contains the item ID and inventory record, update the inventory of the item if ($ count! = 0) {$ stmt = $ pdo-> prepare ("update delphi_test_content set content =? WHERE good_id =? "); $ Stmt-> execute (array ($ _ POST [$ j], $ _ POST [$ I]); $ stmt-> bindParam (1, $ _ POST [$ j]); $ stmt-> bindParam (2, $ _ POST [$ I]); $ stmt-> execute ();} // if the local database does not have this item ID and inventory record, add this record if ($ count = 0) {$ stmt = $ pdo-> prepare ("insert into delphi_test_content (good_id, content) values (?,?) "); $ Stmt-> bindParam (1, $ _ POST [$ I]); $ stmt-> bindParam (2, $ _ POST [$ j]); $ stmt-> execute () ;}}$ pdo = null; // close the connection}?>