简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
Regarding the underlying processing issues of preventing injection of mysql prepared statements
phpcn_u5077
phpcn_u5077 2017-06-15 18:24:58
0
2
1747

PHP's PDO object or STMT object executes the SQL statement containing the injection
Checking the MYSQL log found that only the second single quote was escaped
SELECT * FROM admin WHERE user = '123\' or 1 = 1#'
The native API log of calling libmysql.dll using C and other languages ​​is like this
select * from admin where user = X'313233'
The processing method is to convert the parameters into hexadecimal

They are all preprocessing. Why are there two different ways of underlying processing?

Is the preprocessing function encapsulated by PHP based on the native API of MYSQL?

Another statement from Baidu is that PHP's preprocessing is pseudo-parameter query (simulation preprocessing), but Baidu has no introduction information on this aspect
Is this statement true?

I hope the master can clear up the confusion. Thank you again!

phpcn_u5077
phpcn_u5077

reply all(2)
美食控
美食控2017-06-15 22:31:56 2 floor

php masters are all studying the bottom layer

Like +0
Add Reply
  • reply I'm not a master, but I like to get to the bottom of things that are strange and interesting.
    phpcn_u5077 author 2017-06-16 07:31:17
shuffle
shuffle2017-06-15 22:03:18 1 floor

Although I don’t understand what you are talking about, it feels so high-end

Like +0
Add Reply
  • reply 。。。。。。
    phpcn_u5077 author 2017-06-16 07:33:44
Popular Topics
More>
Popular Articles
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!