Prepared Statements and SQL Injection

2018-07-03 15:39:40

This question already has an answer here:

Are PDO prepared statements sufficient to prevent SQL injection? 7 answers

How can I prevent SQL injection in PHP? 28 answers

Simple answer, no. SQL injection involves inputting strings that are used as part of the SQL control itself rather than values for a part of the query. By parameterizing the query, you essentially cordon off the variable, which covers the cases protected by *_escape_string calls and is more secure.

链接地址: http://www.djcxy.com/p/93754.html