问题:
Let's say I have code like this: 假设我有这样的代码:
$dbh = new PDO("blahblah");
$stmt = $dbh->prepare('SELECT * FROM users where username = :username');
$stmt->execute( array(':username' => $_REQUEST['username']) );
The PDO documentation says: PDO文档说:
The parameters to prepared statements don't need to be quoted; 准备好的语句的参数不需要用引号引起来。 the driver handles it for you. 司机为您处理。
Is that truly all I need to do to avoid SQL injections? 那真的是我避免SQL注入所需要做的一切吗? Is it really that easy? 真的那么容易吗?
You can assume MySQL if it makes a difference. 您可以假设MySQL会有所作为。 Also, I'm really only curious about the use of prepared statements against SQL injection. 另外,我真的只是对针对SQL注入使用准备好的语句感到好奇。 In this context, I don't care about XSS or other possible vulnerabilities. 在这种情况下,我不在乎XSS或其他可能的漏洞。
解决方案:
参考一: https://stackoom.com/question/Yst/PDO准备好的语句是否足以防止SQL注入参考二: https://oldbug.net/q/Yst/Are-PDO-prepared-statements-sufficient-to-prevent-SQL-injection
来源:oschina
链接:https://my.oschina.net/stackoom/blog/4269848