How to create a secure mysql prepared statement in php?

I am new to using prepared statements in mysql with php. I need some help creating a prepared statement to retrieve columns. I need to get information from different columns. Currently for a test file, I use the completely unsecure SQL statement: $qry = "SELECT * FROM mytable where userid='{$_GET['userid']}' AND category='{$_GET['category']}'ORDER BY id DESC" $result = mysql_query($qry) or d

如何在PHP中创建一个安全的MySQL准备语句?

我是使用PHP中的MySQL准备语句的新手。 我需要一些帮助,创建一个准备好的语句来检索列。 我需要从不同栏目获取信息。 目前对于测试文件,我使用完全不安全的 SQL语句: $qry = "SELECT * FROM mytable where userid='{$_GET['userid']}' AND category='{$_GET['category']}'ORDER BY id DESC" $result = mysql_query($qry) or die(mysql_error()); 有人可以帮助我创建一个安全的 mysql语句使用来自url参数的输入(如上)

Prepared statements and second order SQL injections

I have read somewhere here that using prepared statements in PDO makes your app only immune to first order SQL injections, but not totally immune to second order injections. My question is: if we used prepared statements in all queries inlcuding SELECT queries and not only in INSERT query, then how can a second order sql injection be possible? For example in the following queries there is no

准备好的语句和二阶SQL注入

我在这里读过的一些地方是,在PDO中使用准备好的语句使得你的应用程序仅仅能够免疫一阶SQL注入,但并不完全免疫二次注入。 我的问题是:如果我们在包含SELECT查询的所有查询中使用准备好的语句,而不仅仅是在INSERT查询中使用准备好的语句,那么如何执行二次SQL注入成为可能? 例如在下面的查询中,没有机会进行二次订单注入: 写: INSERT INTO posts (userID,text,date) VALUES(?,?,?) 读: SELECT * FROM posts WEHRE

PDO MySQL: Use PDO::ATTR

This is what I've read so far about PDO::ATTR_EMULATE_PREPARES : PDO's prepare emulation is better for performance since MySQL's native prepare bypasses the query cache. MySQL's native prepare is better for security (preventing SQL Injection). MySQL's native prepare is better for error reporting. I don't know how true any of these statements are anymore. My greate

PDO MySQL:使用PDO :: ATTR

这是我迄今为止读到的有关PDO::ATTR_EMULATE_PREPARES : 因为MySQL的本地准备绕过查询缓存,所以PDO的准备模拟对性能更好。 MySQL的本地准备对安全性更好(防止SQL注入)。 MySQL的本地准备更适合错误报告。 我不知道这些陈述是多么的真实。 在选择MySQL接口时,我最关心的是防止SQL注入。 第二个问题是性能。 我的应用程序目前使用程序MySQLi(没有准备好的语句),并且使用查询缓存很多。 它很少会在单个请求中

GET (Any security concerns?)

Possible Duplicate: How prepared statements can protect from SQL injection attacks? If I'm using $_GET with PDO do I still need to escape it? My understanding is that this is immune to SQL injection, however I still feel uneasy about not escaping it. So could someone please look at this little block of code and tell me if it is secure? <?php $hostname = 'localhost'; $username = 'roo

GET(任何安全问题?)

可能重复: 准备好的语句如何防止SQL注入攻击? 如果我使用$ _GET和PDO,我还需要逃避它吗? 我的理解是,这对SQL注入是免疫的,但是我仍然对不转义它而感到不安。 那么有人可以看看这个小块代码并告诉我它是否安全? <?php $hostname = 'localhost'; $username = 'root'; $password = 'root'; $database = 'database'; try { $dbh = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);

PHP: Injection protection using prepared statements

I am familiar with using PHP to perform mySQL queries. However, I have been using reg exps as protection against injection attacks. After reading several questions/answers here on SO, I've decided to opt for prepared statements instead. There's two options available (let me know if there are more): mysqli prepared statements PDO prepared staments Question 1 I am trying to unde

PHP:使用预准备语句进行注入保护

我熟悉使用PHP来执行mySQL查询。 但是,我一直在使用reg exps来防止注入攻击。 在阅读了关于SO的几个问题/答案之后,我决定选择准备好的陈述。 有两个选项可用(让我知道如果有更多): mysqli准备好的语句 PDO准备staments 问题1 我想了解链接页面上给出的代码示例。 对于mysqli ,示例#1: if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) { $stmt->bind_param("s", $city

PDO Prepared Statement and SQL LIKE multiple values

I've got a search form where the user can search for a serial number or name of product. Here's my code: <?php require_once "pdo_rothConn.php"; if (isset($_POST['searchText'])){ $sql = "SELECT m_ipdb, m_name FROM machine WHERE 'm_ipdb' LIKE :number OR 'm_name' LIKE :name"; $stmt = $dbh->prepare($sql); $stmet->execute(array( ':number' => $_POST['searchText'], ':nam

PDO Prepared Statement和SQL LIKE多个值

我有一个搜索表单,用户可以搜索序列号或产品名称。 这是我的代码: <?php require_once "pdo_rothConn.php"; if (isset($_POST['searchText'])){ $sql = "SELECT m_ipdb, m_name FROM machine WHERE 'm_ipdb' LIKE :number OR 'm_name' LIKE :name"; $stmt = $dbh->prepare($sql); $stmet->execute(array( ':number' => $_POST['searchText'], ':name' => $_POST['searchText'])); while ( $row =

Are MySQLi Prepared Statements sufficient to prevent SQL injection?

A sibling question has been asked here. I am seeking perspective specific to the MySQLi extension. In the linked sibling question, the paraphrased conclusion is no, PDO prepared statements are not 100% sufficient to prevent SQL injection. There are certain edge cases and PDO settings that are vulnerable to SQL injection. My question is, are MySQLi prepared statements 100% sufficient to prev

MySQLi准备好的语句足以防止SQL注入吗?

这里提出了一个兄弟问题。 我正在寻求特定于MySQLi扩展的观点。 在链接的兄弟问题中,解释结论是否定的,PDO准备的语句不足以防止SQL注入。 某些边界案例和PDO设置容易受到SQL注入的影响。 我的问题是,MySQLi准备好的语句100%足以防止SQL注入,还是它也有我们需要更新以确保安全的某些设置? 谢谢你的帮助! 准备好的语句是服务器功能,而不是客户端库功能。 每个用于PHP的mysql客户端库 - pdo,mysql和mysqli -

PDO prepared Statements correct?

I am trying to use some PDO prepared statements for the first time to prevent a SQL Injection. I am quite new to SQL so the prepared statements are very bewildering to me. Do you think my SQL code with prepared statements is correct? <?php if ( $_SERVER["REQUEST_METHOD"] == 'POST' ) { $suche = htmlspecialchars($_POST['suche']); $stmt->bindParam(':suche', $suche); if (!

PDO准备的语句正确吗?

我正在尝试首次使用一些PDO准备语句来防止SQL注入。 我对SQL很陌生,所以准备好的语句对我来说非常困惑。 你认为我准备好的SQL语句是正确的吗? <?php if ( $_SERVER["REQUEST_METHOD"] == 'POST' ) { $suche = htmlspecialchars($_POST['suche']); $stmt->bindParam(':suche', $suche); if (!empty($suche)) { $sql = new rex_sql; $sql->debugsql = 0; $stmt = $sql->pre

Prevent SQL Injection without MySQLi or PDO

I know that I can use prepared statement to prevent SQL injection. I can do it using MySQLi or PDO. But I have a developed a large CRM using PHP/ MySQL (mysql_query). If I have to change each and every query into PDO or MySQLi, it will take at least a month. The script got more that 500 MySQL query statement. I really need help in this matter. Can anyone tell me that how to prevent SQL inj

防止没有MySQLi或PDO的SQL注入

我知道我可以使用准备语句来防止SQL注入。 我可以使用MySQLi或PDO来完成。 但是我开发了一个使用PHP / MySQL(mysql_query)的大型CRM。 如果我必须将每个查询都更改为PDO或MySQLi,则至少需要一个月。 该脚本获得了更多的500个MySQL查询语句。 在这件事上我真的需要帮助。 任何人都可以告诉我如何防止SQL注入不使用MySQLi或PDO? 任何人都可以告诉我,如何防止SQL注入不使用MySQLi或PDO [在现有的应用程序中有超过500

When should I use prepared statements?

Originally I used mysql_connect and mysql_query to do things. Then I learned of SQL injection, so I am trying to learn how to use prepared statements. I understand how the prepare and execute functions of the PDO class are useful to prevent SQL injection. But, are prepared statements only necessary when a users input is stored into a database. Would it be okay to still use mysql_num_rows, si

我应该什么时候使用准备好的陈述

最初我使用mysql_connect和mysql_query来做事情。 然后我学习了SQL注入,所以我正在学习如何使用预准备语句。 我了解PDO类的准备和执行功能对于防止SQL注入有用。 但是,只有在用户输入存储到数据库时才需要准备语句。 仍然可以使用mysql_num_rows,因为我没有真正冒着被使用这个函数入侵的风险吗? 或者使用准备好的语句来做到这一点更安全? 我应该使用准备好的语句来处理涉及使用mysql的一切吗? 为什么? 我非常感