PHP/SQL Database querying good practice and security

后端未结

关注

 6  2068

忘了有多久 2020-12-14 04:54

So I\'m a slightly seasoned php developer and have been \'doin the damn thing\' since 2007; however, I am still relatively n00bish when it comes to securing my applications.

6条回答

一个人的身影 (楼主)

2020-12-14 05:07
My recommendations:
1. ditch mysqli in favor of PDO (with mysql driver)
2. use PDO paremeterized prepared statements
You can then do something like:
```
$pdo_obj = new PDO( 'mysql:server=localhost; dbname=mydatabase', 
                    $dbusername, $dbpassword );

$sql = 'SELECT column FROM table WHERE condition=:condition';
$params = array( ':condition' => 1 );

$statement = $pdo_obj->prepare( $sql, 
    array( PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY ) );
$statement->execute( $params );
$result = $statement->fetchAll( PDO::FETCH_ASSOC );
```
PROs:
1. No more manual escaping since PDO does it all for you!
2. It's relatively easy to switch database backends all of a sudden.
CONs:
- i cannot think of any.
0 讨论(0)

查看其它6个回答
发布评论:

提交评论
- 加载中...