如何在 SQL 查询中使用准备好的和绑定的语句
有人告诉我,下面的查询非常容易受到 sql 注入的影响 - 我应该使用绑定参数,
class search
{
public $mysqli = null;
public function __construct($mysqli,$keyword = null)
{
$this->mysqli = $mysqli;
}
public function get_result($parameter)
{
$sql = "
SELECT *
FROM root_contacts_cfm
WHERE root_contacts_cfm.cnt_id = '".$parameter."'
ORDER BY cnt_id DESC
";
$item = $this->mysqli->fetch_assoc($sql);
return $item;
}
}
我可以问一下 - 如何使用准备好的绑定语句来转换这个 search 类?
我在网上读过一些文章为什么我们应该使用准备好的语句, 第 1 条 第 2 条
但我仍然不知道不知道如何改进我的查询...我尝试了下面的修改,
class search
{
public $mysqli = null;
public function __construct($mysqli)
{
$this->mysqli = $mysqli;
}
public function get_result($parameter)
{
$sql = "
SELECT *
FROM root_contacts_cfm
WHERE root_contacts_cfm.cnt_id = '?'
ORDER BY cnt_id DESC
";
$stmt = $this->mysqli->prepare($sql);
/* bind parameters for markers */
$stmt->bind_param("s", $parameter);
/* execute query */
$stmt->execute();
/* fetch value */
return $stmt->fetch();
}
}
所以当我将搜索类作为对象调用时,
$mysqli = new database(DB_HOST,DB_USER,DB_PASS,DB_NAME);
$output = new search($mysqli);
print_r($output->get_result('1'));
我会收到此错误,
警告:mysqli_stmt::bind_param() [mysqli-stmt.bind-param]:数量 变量数量不匹配 准备好的语句中的参数 C:\wamp\www\xxxl\class_database.php 上 第487行
第 487 行指的是 $stmt->bind_param("s", $parameter);
谢谢。
I have been told that my query below is very susceptible to an sql injection - I should be using bound parameters instead,
class search
{
public $mysqli = null;
public function __construct($mysqli,$keyword = null)
{
$this->mysqli = $mysqli;
}
public function get_result($parameter)
{
$sql = "
SELECT *
FROM root_contacts_cfm
WHERE root_contacts_cfm.cnt_id = '".$parameter."'
ORDER BY cnt_id DESC
";
$item = $this->mysqli->fetch_assoc($sql);
return $item;
}
}
can I ask - how can I turn this search class with a prepared and bound statement?
I have read some articles online why we should use prepared statements,
article 1
article 2
But I still don't have a clue how to improve my query... I tried with this amendment below,
class search
{
public $mysqli = null;
public function __construct($mysqli)
{
$this->mysqli = $mysqli;
}
public function get_result($parameter)
{
$sql = "
SELECT *
FROM root_contacts_cfm
WHERE root_contacts_cfm.cnt_id = '?'
ORDER BY cnt_id DESC
";
$stmt = $this->mysqli->prepare($sql);
/* bind parameters for markers */
$stmt->bind_param("s", $parameter);
/* execute query */
$stmt->execute();
/* fetch value */
return $stmt->fetch();
}
}
So when I call the search class as an object,
$mysqli = new database(DB_HOST,DB_USER,DB_PASS,DB_NAME);
$output = new search($mysqli);
print_r($output->get_result('1'));
I will get this error,
Warning: mysqli_stmt::bind_param()
[mysqli-stmt.bind-param]: Number of
variables doesn't match number of
parameters in prepared statement in
C:\wamp\www\xxxl\class_database.php on
line 487
line 487 refers to $stmt->bind_param("s", $parameter);
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
尝试删除
',它围绕着?占位符。在准备好的语句中,整个事情就是在绑定参数时指定参数的类型,而不是在 SQL 查询中 - 你在编写
'?'时就是这样做的。您说过,当您将 param 绑定为字符串时,它必须是字符串,但不是必需的。数据库引擎现在将如何插入/转义该值。Try removing
', which surrounds your?placeholder.In prepared statements whole thing is about specifying type of param when you bind it, not in SQL query - which you did, when wrote
'?'. You've said that has to be string, but is not required, when you bind param as a string. Database engine will now how to insert/escape that value.这是我在网上搜索后的解决方案:
虽然不太明白...
我发现很难理解和练习准备好的和绑定的语句... mysqli::query() 对我来说更容易理解...
this is my solution after searching around online:
not quite understand it though...
I find it difficult to understand and practice with prepared and bound statement... mysqli::query() is easier for me to understand...