Is it necessary to prevent SQL injection when developing using the tb framework? How to prevent SQL injection? Ask God for answers
Is it necessary to prevent SQL injection when developing using the tb framework? How to prevent SQL injection? Ask God for answers
A simple one:
Use PDO to operate the database. In the sql statement to be executed, use: placeholder or ? placeholder instead of directly splicing strings, and then use bindParam to bind parameters and specify the type of parameters.
A simple example
<code>$pdo = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);//先新建一个PDO $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);//开启PDO的报错 $sql = 'SELECT * FROM article WHERE id > ? ;';//使用?占位符 try{ $stmt = $pdo->prepare(sql);//返回的statment的值赋给$stmt $stmt -> bindParam(要绑定的占位符的位置, 要绑定的变量 [, 数据类型]);//bindParam()是$stmt的方法而不是$pdo的方法 $stmt -> execute();//执行sql语句 } catch (PDOException $e) { echo 'Execute SQL failed: ' . $e->getMessage(); exit(); }</code>
Parameterized queries using mysqli or pdo
No matter you are a framework or something, PDO has nothing to do with injection. Many people misunderstand that PDO can prevent injection. They try to prevent it through placeholders and preprocessing. In fact, these are not 100% effective. As a result, it is safer to write global filtering yourself and filter out sql keywords