如何清理 php 中的数据以避免 SQL 注入?
我已经使用了 PDO:
$stmt = $aPDO->prepare("INSERT INTO ".$this->getM_oUser()->getM_sTableName()." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
$stmt->bindValue(':email', $this->getM_oUser()->getM_sEmail());
$stmt->bindValue(':hash_pw', $this->getM_oUser()->getM_sHash_pw());
$stmt->bindValue(':hash_key', $this->getM_oUser()->getM_sHash_Key());
$stmt->execute();
我还应该使用 mysql_real_escape_string() 来处理用户输入字符串吗?谢谢。
I already used the PDO:
$stmt = $aPDO->prepare("INSERT INTO ".$this->getM_oUser()->getM_sTableName()." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
$stmt->bindValue(':email', $this->getM_oUser()->getM_sEmail());
$stmt->bindValue(':hash_pw', $this->getM_oUser()->getM_sHash_pw());
$stmt->bindValue(':hash_key', $this->getM_oUser()->getM_sHash_Key());
$stmt->execute();
Should I also use mysql_real_escape_string() to handle the user input string? Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用带有绑定参数的准备好的语句就足够了。您不需要使用
mysql_real_escape_string(即使您愿意,您也可能无法使用——您需要手头有一个MySql 连接资源才能做到这一点)。Using prepared statements with bound parameters is enough. You don't need to use
mysql_real_escape_string(and you probably could not even if you wanted -- you 'd need a MySql connection resource in hand to do it).我会做类似的事情来从表名中排除很多无用的字符:
I'd do something like that to exclude a lot of useless characters from your table name: