sql-injection

问题 Let\'s say I have code like this: $dbh = new PDO(\"blahblah\"); $stmt = $dbh->prepare(\'SELECT * FROM users where username = :username\'); $stmt->execute( array(\':username\' => $_REQUEST[\'username\']) ); The PDO documentation says: The parameters to prepared statements don\'t need to be quoted; the driver handles it for you. Is that truly all I need to do to avoid SQL injections? Is it really that easy? You can assume MySQL if it makes a difference. Also, I\'m really only curious about the

问题 This question already has an answer here: How does the SQL injection from the “Bobby Tables” XKCD comic work? 13 answers Can someone explain SQL injection? How does it cause vulnerabilities? Where exactly is the point where SQL is injected? 回答1: Can someone explain SQL injecton? SQL injection happens when you interpolate some content into a SQL query string, and the result modifies the syntax of your query in ways you didn't intend. It doesn't have to be malicious, it can be an accident. But

问题 If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST[\'user_input\']; mysql_query(\"INSERT INTO `table` (`column`) VALUES (\'$unsafe_variable\')\"); That\'s because the user can input something like value\'); DROP TABLE table;-- , and the query becomes: INSERT INTO `table` (`column`) VALUES(\'value\'); DROP TABLE table;--\') What can be done to prevent this from