Regarding the underlying processing issues of preventing injection of mysql prepared statements
phpcn_u5077
phpcn_u5077 2017-06-15 18:24:58
0
2
1747

PHP's PDO object or STMT object executes the SQL statement containing the injection
Checking the MYSQL log found that only the second single quote was escaped
SELECT * FROM admin WHERE user = '123\' or 1 = 1#'
The native API log of calling libmysql.dll using C and other languages ​​is like this
select * from admin where user = X'313233'
The processing method is to convert the parameters into hexadecimal

They are all preprocessing. Why are there two different ways of underlying processing?

Is the preprocessing function encapsulated by PHP based on the native API of MYSQL?

Another statement from Baidu is that PHP's preprocessing is pseudo-parameter query (simulation preprocessing), but Baidu has no introduction information on this aspect
Is this statement true?

I hope the master can clear up the confusion. Thank you again!

phpcn_u5077
phpcn_u5077

reply all(2)
美食控

php masters are all studying the bottom layer

  • reply I'm not a master, but I like to get to the bottom of things that are strange and interesting.
    phpcn_u5077 author 2017-06-16 07:31:17
shuffle

Although I don’t understand what you are talking about, it feels so high-end

  • reply 。。。。。。
    phpcn_u5077 author 2017-06-16 07:33:44
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!