我知道某些人可能会回答这个问题,但是我的问题来自于您和您的答案.我正在阅读有关SQL注入以及如何保护数据库的过去两个小时的问答.我看到的大量网页和教程也是如此.
I know that this question may be closed by some of you, but my question came up from you and your answers. I am reading the past two hours questions and answers for SQL Injections and how to protect your database. The same comes to the huge amount of webpages and tutorials I saw.
我发现一半的人声称prepare语句确实可以保护您的数据库,而另外50人则声称不是.
I found out that half of the people claim that prepare statements do secure your db, and the other 50 claim that it is not.
另一方面,我读到mysql_real_escape_string可以完成这项工作,而其他人则说不行.
On the other hand, I read that mysql_real_escape_string does the job, and other people saying that it is not.
我的问题是谁相信?
此外,这是否是适当的准备声明?
In addition, is this a proper prepare statement?
$stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR); $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40); /*** execute the prepared statement ***/ $stmt->execute();推荐答案
准备好的语句没有.绑定参数可保护语句(而不是整个数据库)的安全,只要所有不可信数据都通过参数传递而不是插值到语句中即可.当人们使用准备好的语句时,他们几乎也总是使用绑定参数,因此这两个名称经常会混淆.
Prepared statements don't. Bound parameters secure the statement (not the database as a whole) so long as all your untrusted data is passed via a parameter rather than being interpolated into the statement. When people use prepared statements, they almost always use bound parameters too, so the two names are often conflated.
mysql_real_escape_string几乎总是做这项工作,但是由于它在流程中增加了其他步骤,因此更容易出现人为错误.
mysql_real_escape_string almost always does the job, but since it adds additional steps to the process, it is more prone to human error.
更多推荐
准备语句是否可以保护您的数据库?
发布评论