本文執行個體講述了PHP簡單實現防止SQL注入的方法。分享給大家供大家參考,具體如下:
方法一:execute代入參數
<?phpif(count($_POST)!= 0) { $host = 'aaa'; $database = 'bbb'; $username = 'ccc'; $password = '***'; $num = 0; $pdo = new PDO("mysql:host=$host;dbname=$database", $username, $password);//建立一個pdo對象 foreach ($_POST as $var_Key => $var_Value) { //擷取POST數組最大值 $num = $num + 1; } //下標為i的數組儲存的是商品id, 下標為j數組的儲存的是此商品的庫存 for($i=0;$i<$num;$i=$i+2) { //庫存下標 $j = $i+1; //判斷傳遞過來的資料合法性 if(is_numeric(trim($_POST[$i])) && is_numeric(trim($_POST[$j]))){ //禁用prepared statements的模擬效果 $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); //查詢資料庫中是否存在該ID的商品 //當調用 prepare() 時,查詢語句已經發送給了資料庫伺服器,此時只有預留位置 ? 發送過去,沒有使用者提交的資料 $stmt = $pdo->prepare("select good_id from delphi_test_content WHERE good_id = ?"); //當調用到 execute()時,使用者提交過來的值才會傳送給資料庫,他們是分開傳送的,兩者獨立的,SQL攻擊者沒有一點機會。 $stmt->execute(array($_POST[$i])); //返回查詢結果 $count = $stmt->rowCount(); //如果本機資料庫存在該商品ID和庫存記錄,就更新該商品的庫存 if($count != 0) { $stmt = $pdo->prepare("update delphi_test_content set content = ? WHERE good_id = ?"); $stmt->execute(array($_POST[$j], $_POST[$i])); } //如果本機資料庫沒有該商品ID和庫存記錄,就新增該條記錄 if($count == 0) { $stmt = $pdo->prepare("insert into delphi_test_content (good_id,content) values (?,?)"); $stmt->execute(array($_POST[$i], $_POST[$j])); } } } $pdo = null; //關閉串連}?>
方法二:bindParam綁定參數
<?phpif(count($_POST)!= 0) { $host = 'aaa'; $database = 'bbb'; $username = 'ccc'; $password = '***'; $num = 0; $pdo = new PDO("mysql:host=$host;dbname=$database", $username, $password);//建立一個pdo對象 foreach ($_POST as $var_Key => $var_Value) { //擷取POST數組最大值 $num = $num + 1; } //下標為i的數組儲存的是商品id, 下標為j數組的儲存的是此商品的庫存 for($i=0;$i<$num;$i=$i+2) { //庫存下標 $j = $i+1; //判斷傳遞過來的資料合法性(此資料為商品編號以及庫存,嚴格來說字串全是由數字組成的) if(is_numeric(trim($_POST[$i])) && is_numeric(trim($_POST[$j]))){ //查詢資料庫中是否存在該ID的商品 $stmt = $pdo->prepare("select good_id from delphi_test_content WHERE good_id = ?"); $stmt->execute(array($_POST[$i])); $stmt->bindParam(1,$_POST[$i]); $stmt->execute(); //返回查詢結果 $count = $stmt->rowCount(); //如果本機資料庫存在該商品ID和庫存記錄,就更新該商品的庫存 if($count != 0) { $stmt = $pdo->prepare("update delphi_test_content set content = ? WHERE good_id = ?"); $stmt->execute(array($_POST[$j], $_POST[$i])); $stmt->bindParam(1,$_POST[$j]); $stmt->bindParam(2,$_POST[$i]); $stmt->execute(); } //如果本機資料庫沒有該商品ID和庫存記錄,就新增該條記錄 if($count == 0) { $stmt = $pdo->prepare("insert into delphi_test_content (good_id,content) values (?,?)"); $stmt->bindParam(1,$_POST[$i]); $stmt->bindParam(2,$_POST[$j]); $stmt->execute(); } } } $pdo = null; //關閉串連}?>
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
