本文介绍了如何使用PHP的mysqli扩展及预处理语句来避免代码中的SQL注入风险。通过具体的SELECT和INSERT语句示例,展示了如何绑定参数并执行安全的SQL操作。
To avoid your code be vulnerable, especially for preventing SQL injection. You may need the mysqli_* function and prepare statement of it to make it.
I will make some examples, such like this:
- The SELECT sentence like this:
$stmt = $conn->prepare('SELECT column_name FROM table_name WHERE column_name = ?');
$stmt->bind_param('s', $varname);
$stmt->execute();
$result = $stmt->get_result();
- The INSERT sentence like this:
$stmt = $conn->prepare('INSERT INTO table_name(column_name_f, column_name_s) VALUES(?,?)');
$stmt->bind_param('ss', $var_name_f, $var_name_s);
$stmt->execute();
$stmt->close();So the only question you guys want to know is that mysterious ‘s’.
Not other mean, just String.
And other’s just as the word the said.
- bind_param which bind param like $var_name_f with the first question mark in this string(’s’) format.
- execute means that the statement will execute the sql sentence.
- close, just close connection;
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
