SELECT within SELECT PDO prepared statement

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers To clear any confusion, what i'm doing is this: $pdo = new PDO('..'); $sql = 'SELECT id FROM users WHERE username = :username'; $statement = $pdo->prepare($sql); $statement->bindParam(':username', $_POST['username']); Question is,

在SELECT PDO准备语句中进行SELECT

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 为了消除任何困惑,我正在做的是这样的: $pdo = new PDO('..'); $sql = 'SELECT id FROM users WHERE username = :username'; $statement = $pdo->prepare($sql); $statement->bindParam(':username', $_POST['username']); 问题是,如果$ _POST ['username']包含'SELECT * FROM users&#

Is this PDO code safe enough from SQL injection?

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers If you use only prepare statments as in your code above you are secure. There are AFIK no other posibilities to hack your site with SQL injections. The prepare statments encupulates the data from the commands so can no content be executed as part of a SQL statment. Yes, p

这个PDO代码是否足够安全的从SQL注入?

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 如果您仅使用上述代码中的准备语句,则表示您是安全的。 有AFIK没有其他的可能性来破解你的网站与SQL注入。 准备语句会从命令中填充数据,因此不能将内容作为SQL语句的一部分执行。 是的,准备好的查询通常在SQL注入中几乎100%安全。 不过,我建议还将data_type参数传递给PDO::bindParam() ; 请参阅:准备好的查询100%安全,防SQL注入

Is my PDO query safe from SQL injection

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers 是的 - 当以这种方式使用时,参数化查询对于注入是安全的。 As long as you use prepared statements properly, you're safe from injection. but as soon as you DIRECTLY insert any external data into a query, even if it's otherwise a prepared statement, eg INSERT INTO $table

我的PDO查询是否安全的SQL注入

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 是的 - 当以这种方式使用时,参数化查询对于注入是安全的。 只要您正确使用准备好的语句,就可以避免注射。 但只要您直接将任何外部数据插入到查询中,即使它是其他准备好的语句,例如 INSERT INTO $table VALUES (:param) 你很脆弱 - 在这种情况下, $table可以被破坏,即使你正在使用一个准备好的语句。 任何人告诉你简单地切换mysql->

Is this kind of PDO query protected against SQL injection?

This question already has an answer here: How can prepared statements protect from SQL injection attacks? 9 answers 即使您使用过PDO , SQL INjection由于您尚未参数化查询,您的代码仍然容易受到SQL INjection因此必须对查询进行参数化才能清除值。 $userid = $_GET['id']; $query = "SELECT * FROM table WHERE userid=?"; $db->setAttribute( PDO::ATTR_EMULATE_PREPARES, false ); $action = $db->prepare(

这种PDO查询是否受到SQL注入的保护?

这个问题在这里已经有了答案: 准备好的语句如何防止SQL注入攻击? 9个答案 即使您使用过PDO , SQL INjection由于您尚未参数化查询,您的代码仍然容易受到SQL INjection因此必须对查询进行参数化才能清除值。 $userid = $_GET['id']; $query = "SELECT * FROM table WHERE userid=?"; $db->setAttribute( PDO::ATTR_EMULATE_PREPARES, false ); $action = $db->prepare($query); $action->bindParam(1, $userid); $

Switch query from traditional MySQL to PDO Format

I'm in the process of turning all of mysql related stuff in PHP into PDO format. That being said, I need to ask a question. I had a query that looked like this: $query = "SELECT COUNT(*) FROM table WHERE home_team = '".$team."' AND home_score > away_score"; With PDO, I have tried: $query = "SELECT COUNT(*) FROM table WHERE home_team=:team AND home_score>:away_score"; $stmt = $db-&

从传统MySQL切换到PDO格式

我正在将PHP中所有与mysql相关的东西转换为PDO格式。 这就是说,我需要问一个问题。 我有一个看起来像这样的查询: $query = "SELECT COUNT(*) FROM table WHERE home_team = '".$team."' AND home_score > away_score"; 有了PDO,我试过了: $query = "SELECT COUNT(*) FROM table WHERE home_team=:team AND home_score>:away_score"; $stmt = $db->prepare($query); $stmt->bindValue(':team', $team, PDO::

How to make website more secured?

Possible Duplicate: Best way to stop SQL Injection in PHP I have a question concerning the security of website. Actually I have used the queries as: $name = $_POST['name']; $sql = "INSERT INTO table (sno, name) VALUES('', '$name')"; mysql_query($sql); Does this kind of coding assures the security from sql injection or others. If not what methods could we use to make our website secured?

如何使网站更安全?

可能重复: 在PHP中停止SQL注入的最佳方法 我有一个关于网站安全的问题。 其实我已经使用这些查询: $name = $_POST['name']; $sql = "INSERT INTO table (sno, name) VALUES('', '$name')"; mysql_query($sql); 这种编码确保sql注入或其他的安全吗? 如果不是我们可以使用什么方法来使我们的网站安全? 提前致谢。 使用PDO与准备好的语句和绑定参数 PDO教程 这是开始。 为了保护自己免受sql注入使用PDO 在

is this a safe way to use SELECT via PDO

Possible Duplicate: Best way to stop SQL Injection in PHP How do I sanitize input with PDO? I'm pulling in an id via $_GET . I just started using PDO and I'm unsure if this is safe or not. Obviously, the code below is using $_GET to grab an id. I'm not sanitizing it at all before I place it in the query. Is this safe? <?php if (isset($_GET['id'])) { $blogid = $_GET['id']

这是通过PDO使用SELECT的安全方式

可能重复: 在PHP中停止SQL注入的最佳方法 如何使用PDO清理输入? 我通过$_GET拉入一个id。 我刚开始使用PDO,但我不确定这是否安全。 显然,下面的代码使用$_GET来获取一个id。 在我将它放入查询之前,我根本没有对它进行消毒。 这安全吗? <?php if (isset($_GET['id'])) { $blogid = $_GET['id']; $post = $dbh->query("SELECT id, title, slug, body, image, author, date, category from blog WHERE id='

SQL Injection Prevention Using Error Page

Possible Duplicate: Best way to stop SQL Injection in PHP I am curious what is the best way to prevent SQL injections through URL parameters - for example if the user visited http://mydomain.com/info.php?id='50 I am told the above URL with the parameter can allowed Brutal SQL injections, so what exactly is the best way of preventing this from happening? Would sending the user to an er

SQL注入预防使用错误页面

可能重复: 在PHP中停止SQL注入的最佳方法 我很好奇什么是防止通过URL参数进行SQL注入的最佳方式 - 例如,如果用户访问了http://mydomain.com/info.php?id='50 我被告知上面的URL带有参数可以允许残酷的SQL注入,那么防止这种情况发生的最好方法是什么? 在发生“或死”时将用户发送到错误页面会阻止这些SQL注入? 您应该查看OWASP SQL注入预防备忘单https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_

Is a prepared statement inside a stored procedure safe from SQL injection?

In MySQL is a prepared statement inside a stored procedure safe from SQL injection? See example below. The get_info stored procedure is passed a table name (pTbl) and the where clause (pWhere). pWhere can have many AND's (eg fld1="a" AND fld2="b" AND ...). It's probably not the best way to do it but I need to have dynamic sql. CREATE PROCEDURE get_info(pTbl VARCHA

存储过程中的准备好的语句是否安全,不受SQL注入的影响?

在MySQL中是一个在SQL注入安全的存储过程中的准备语句? 见下面的例子。 get_info存储过程传递一个表名(pTbl)和where子句(pWhere)。 p可以有多个AND(例如fld1 =“a”AND fld2 =“b”AND ...)。 这可能不是最好的办法,但我需要动态SQL。 CREATE PROCEDURE get_info(pTbl VARCHAR(10), pWhere TEXT) BEGIN SET @uSQL = CONCAT('SELECT info FROM ',pTbl,' WHERE ',pWhere); PREPARE ps FROM @uSQL; EXECUTE ps;

Reference: What is a perfect code sample using the MySQL extension?

This is to create a community learning resource . The goal is to have examples of good code that do not repeat the awful mistakes that can so often be found in copy/pasted PHP code. I have requested it be made Community Wiki. This is not meant as a coding contest. It's not about finding the fastest or most compact way to do a query - it's to provide a good, readable reference especia

参考:什么是使用MySQL扩展的完美代码示例?

这是为了创建一个社区学习资源 。 我们的目标是要有好的代码示例,它们不会重复在复制/粘贴的PHP代码中经常发现的可怕错误。 我已经要求它成为社区Wiki。 这并不意味着编码比赛。 这不是要找到最快或最简单的方式来进行查询,而是为新手提供一个很好的,可读的参考。 每天,使用Stack Overflow上的mysql_*系列函数都会产生大量问题,并带有非常糟糕的代码片段。 尽管通常最好将这些人引导到PDO,但有时候这是不可能的(