prepared-statement

mysqli_real_escape_string AND prepared statements?

时光毁灭记忆、已成空白 提交于 2019-11-30 19:40:43
Should be a simple enough question: If I am using mysqli prepared statements, do I still need to use mysqli_real_escape_string() as well? Is this necessary, or a good idea? Thanks, Nico No. If you use prepared statements, escaping is done for you. 来源: https://stackoverflow.com/questions/1162540/mysqli-real-escape-string-and-prepared-statements

Why is the PostgreSQL JDBC prepared statement threshold defaulted to 5?

孤人 提交于 2019-11-30 18:01:09
问题 By default, the parameter statement treshold is set to 5, instead of 1. That is, ((PGStatement) my_statement).getPrepareThreshold() always returns 5 by default. What would be the reason for that? Why would I want not to have to use the server-side prepared statement for the first 4 times the query is executed? I fail to understand why I would ever set this to another value than 1 and why this isn't by default set to 1. Can you explain? Thanks a lot. 回答1: Server side prepared statements

Should I use mysqli_real_escape_string or should I use prepared statements? [duplicate]

偶尔善良 提交于 2019-11-30 18:01:06
问题 This question already has answers here : How can I prevent SQL injection in PHP? (28 answers) Closed 6 years ago . Should I use mysqli_real_escape_string or should I use prepared statements? I've seen a tutorial now explaining prepared statements but I've seen them do the same thing as mysqli_real_escape_string but it uses more lines Are there any benefits for prepared statements? What do you think is the best method to use? 回答1: Prepared statements only. Because nowhere escaping is the same

getGeneratedKeys() after PreparedStatement.executeBatch()

删除回忆录丶 提交于 2019-11-30 17:59:54
I want to INSERT several rows using a PreparedStatement : ps = con.prepareStatement(query,PreparedStatement.RETURN_GENERATED_KEYS); for(Element e:listOfElements){ ps.setString(1,this.col_val_1); ps.setString(2,this.col_val_2); ps.setInt(3,this.col_val_3); ps.addBatch(); } ps.executeBatch(); ResultSet rs = ps.getGeneratedKeys(); At this point, whent I expect to get the PK's generated for each INSERT , I get this SQLServerException : com.microsoft.sqlserver.jdbc.SQLServerException: The statement must be executed before any results can be obtained. I expected to get a ResultSet with one row for

Should I be using PreparedStatements for all my database inserts in Java?

一笑奈何 提交于 2019-11-30 17:17:33
问题 What is the recommended method for escaping variables before inserting them into the database in Java? As I understand, I can use PreparedStatement.setString() to escape the data, but PreparedStatement seems somewhat impractical if I don't plan to run the same query ever again.. Is there a better way to do it without preparing every query? 回答1: Yes, use prepared statements for everything. They're parsed once. They're immune from SQL injection attacks. They're a better design because you have

getGeneratedKeys() after PreparedStatement.executeBatch()

[亡魂溺海] 提交于 2019-11-30 16:51:39
问题 I want to INSERT several rows using a PreparedStatement : ps = con.prepareStatement(query,PreparedStatement.RETURN_GENERATED_KEYS); for(Element e:listOfElements){ ps.setString(1,this.col_val_1); ps.setString(2,this.col_val_2); ps.setInt(3,this.col_val_3); ps.addBatch(); } ps.executeBatch(); ResultSet rs = ps.getGeneratedKeys(); At this point, whent I expect to get the PK's generated for each INSERT , I get this SQLServerException : com.microsoft.sqlserver.jdbc.SQLServerException: The

php mysqli prepared statement

淺唱寂寞╮ 提交于 2019-11-30 09:55:52
问题 Hey, I have a quick one. Is there any way to include a variable into a prepared query? example: $sql = "SELECT id, title, author, LEFT(description, 40) AS excerpt, image_small, image_med, date FROM posts ORDER BY id DESC LIMIT $start, $postsPerPage"; $result = $connect->prepare($sql) or die ('error'); $result->execute(); $result->bind_result($id, $title, $author, $excerpt, $image_small, $image_med, $date); Thanks! 回答1: you want the following: $start = 1; $postsPerPage = 1; $sql = "SELECT id,

Is there a reason for never closing a JDBC connection?

时间秒杀一切 提交于 2019-11-30 09:54:14
问题 I'm reading a code from the last developer that worked on the system and he never closes any connections with the database. He only closes PreparedStatement and ResultSet connections but never the Connection. The system does not use a connection pool. Is there any reason not to close everything ( Connection , PreparedStatement and ResultSet )? 回答1: There is no good reason for this, it will result in a very brittle application. It's easy for a database connection to go stale if there's a

Prepared statements and second order SQL injections

喜夏-厌秋 提交于 2019-11-30 09:44:37
问题 I have read somewhere here that using prepared statements in PDO makes your app only immune to first order SQL injections, but not totally immune to second order injections. My question is: if we used prepared statements in all queries inlcuding SELECT queries and not only in INSERT query, then how can a second order sql injection be possible? For example in the following queries there is no chance for a 2nd order injection: write: INSERT INTO posts (userID,text,date) VALUES(?,?,?) read:

Mysql update query with prepared statement is giving error

我与影子孤独终老i 提交于 2019-11-30 09:41:41
问题 I am getting the following error in the code below. Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement in C:\wamp\www\purev\admin\edit.php on line 39 if(isset($_POST['submit'])){ $post_title = $_POST['posttitle']; $content = $_POST['content']; $author_name = $_POST['authorname']; $category = $_POST['category']; $post_date = $_POST['postdate']; if(isset($_FILES['image']['name']) && ($_FILES['image']['name'] !="")){ $size=$_FILES[
订阅 prepared-statement