Multiple INSERT vulnerable to injection?

2018-07-03 15:33:29

This question already has an answer here:

Are PDO prepared statements sufficient to prevent SQL injection? 7 answers

I was wondering whether doing a multiple insert has effect on the vulnerability for a MySQL injection? Because I 'build' the query using PHP code.

Well, in the real life we cannot avoid manual query building, thus it's all right to create a query or two dynamically. The only rule you have to follow in this case is all query parts have to be hardcoded in your script .

As long as it's followed, no injection will be ever possible.

In your case all query parts are hardcoded, thus this code is safe.

As long as those values are being handled by PDO parameterized queries then it will escape any attempted injections.

https://stackoverflow.com/a/134138

If you aren't using PDO, then you need to make sure all data is correctly escaped, which is a lot of work.

To see what query was actually executed by the MySQL server, you can follow these instructions to set up the general log: https://stackoverflow.com/a/2413308

链接地址: http://www.djcxy.com/p/93742.html

上一篇: 使用PDO API保护SQL注入？

下一篇: 多INSERT容易注射？