MySQLi的准备是出于安全考虑吗？

发布于 2024-12-02 22:26:12 字数 613 浏览 1 评论 0原文

因此，我开始使用 MySQLi 扩展，因为我听说它将来会受到支持。我读到，出于安全原因，我必须使用 prepare() 而不是使用 mysql_real_escape_string() ，例如，当我在查询中使用 $_GET 或 $_POST 时。

这是真的吗？我发现prepare() 非常适合制作可以更改参数的SQL 查询模板。因此脚本在 SQL 级别上也可以是动态的。它真的很有用。但我找不到有关其安全措施的真实信息。它真的可以逃避邪恶的东西并防止注射吗？或者我必须在编程层面上处理它？

例如这段代码安全吗？正如您所看到的，它使用 $_GET 来填充模板，因此如果 MySQLi 准备没有按照我希望的方式工作，那可能会非常危险。

$stmt = $mysqli->prepare('SELECT description,title FROM menu WHERE name = ?');

$stmt->bind_param('s', $n);

$n = $_GET['b'];

$stmt->bind_result($meta_description,$meta_title);
$stmt->execute();

原文

So, I started to use MySQLi extension as I heard it will be the supported one in the future. I read about that instead of using mysql_real_escape_string() I must use prepare() for security reasons, for example when I use a $_GET or $_POST in my query.

Is it true? I see that prepare() is good for making SQL query templates where I can change parameters. So the script can be dynamic on SQL level too. Its really useful. But I can't find real info about its security measures. Is it really escapes evil stuff and protects from injection? Or I have to deal with it on programming level?

For example this code is safe? As you can see it use a $_GET to fill the template so it can be really dangerous if MySQLi prepare isn't work as I want it to be.

$stmt = $mysqli->prepare('SELECT description,title FROM menu WHERE name = ?');

$stmt->bind_param('s', $n);

$n = $_GET['b'];

$stmt->bind_result($meta_description,$meta_title);
$stmt->execute();

分享到QQ

分享到微博