using prepared statements

2018-07-03 15:37:37

This question already has an answer here:

Are PDO prepared statements sufficient to prevent SQL injection? 7 answers

To the best of my knowledge, it is virtually impossible to SQL inject PDO (Or at least i have not heard of a way to do so).

Even if you use mysql_real_escape then you risk there being some tiny unknown bug in the function or a few cases where the function fails. The way PDO works is that it first 'prepares', it makes a list of what to do, it works out the operations, the works. Then it bring in the stuff you input. SQL injections work by making their way into the query

To put it simply,

$query = "INSERT INTO table(name) VALUES($name)";

is vulnerable. Even if you escape it, you may not be fully safe.

If you Prepare it, it doesn't take into account the $name. Hence there's no way the hacker can get into the query. Only after its already calculates which operations are to be called, it puts everything in accordingly, thus making it virtually impossible for a hacker to modify the query in any way.

链接地址: http://www.djcxy.com/p/93750.html

上一篇: 正在消毒PDO oveekill中的数据+参数化？