Is this safe from SQL Injection?

I've been reading and asked a question about SQL Injection safe queries and everyone is saying that I should use PDO, so I just enabled my MYSQL PDO extension and made a simple query. So this is my code: public static function Add($catName, $catDescr = "", $catImgURL = "", $catSubLevel = 0, $catSubID = 0) { try { include_once "db_config.php"; $DBH = new PDO("mysql:

这是从SQL注入安全吗?

我一直在阅读并询问一个关于SQL注入安全查询的问题,每个人都说我应该使用PDO,所以我只启用了我的MYSQL PDO扩展并做了一个简单的查询。 所以这是我的代码: public static function Add($catName, $catDescr = "", $catImgURL = "", $catSubLevel = 0, $catSubID = 0) { try { include_once "db_config.php"; $DBH = new PDO("mysql:host=$db_host;dbname=$db_name", $db_user, $db_pass);

How to write update query using some {$variable} with example

如何使用一些{$variable}编写更新查询,例如: $query="update subjects set values username='{$name}', hash_password='{$pass}' where id=1"; You cannot use values there, it should be: $query="update subjects set username='{$name}', hash_password='{$pass}' where id=1"; But I would recommend using a prepared statement instead of dumping variables straight into your query. Create a PDO connection: /

如何用示例的{$ variable}编写更新查询

如何使用一些{$variable}编写更新查询,例如: $query="update subjects set values username='{$name}', hash_password='{$pass}' where id=1"; 你不能在那里使用values ,它应该是: $query="update subjects set username='{$name}', hash_password='{$pass}' where id=1"; 但我会建议使用准备好的语句,而不是将变量直接放入查询中。 创建一个PDO连接: // Usage: $db = connectToDatabase($dbHost, $dbName, $dbUsern

Creating a table using mysqli and php

I am not sure what I am doing wrong here. The table won't be created in the database 'Users' and there is no error message at all. PhpMyAdmin is set to allow no password, just to be clear on that point. here is my code: $dbConn = new mysqli("localhost", "root", "", "Users"); if ($dbConn->connect_error) { echo "alert('Database connection: unsuccessful! " . $

使用mysqli和php创建一个表

我不确定我在这里做错了什么。 该表不会在数据库'Users'中创建,并且根本没有错误消息。 PhpMyAdmin设置为不允许密码,只是为了清楚这一点。 这里是我的代码: $dbConn = new mysqli("localhost", "root", "", "Users"); if ($dbConn->connect_error) { echo "alert('Database connection: unsuccessful! " . $dbConn->connect_error . " ');"; die("Connection failed: " . $dbConn

Inserting into database with stmt and mysqli

Hi there i'm playing with stmt for the first time (looking at converting my code over after previously using standard mysqli functions through an extension class. However I can't seem to get it working. I'm using PHP 5.2.11 and mysql 4.1.22. I've got a table structure like so: CREATE TABLE IF NOT EXISTS `tags` ( `tag_id` smallint(3) unsigned NOT NULL auto_increment, `ti

用stmt和mysqli插入数据库

您好,我第一次使用stmt(在通过扩展类使用标准mysqli函数后,将代码转换过来。 然而,我似乎无法得到它的工作。 我使用PHP 5.2.11和mysql 4.1.22。 我有这样的表结构: CREATE TABLE IF NOT EXISTS `tags` ( `tag_id` smallint(3) unsigned NOT NULL auto_increment, `title` varchar(32) NOT NULL default '', PRIMARY KEY (`tag_id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=9 ; 这里是我的代

Effectiveness of stripslashes against SQL Injection?

Possible Duplicate: Best way to defend against mysql injection and cross site scripting How to include a PHP variable inside a mysql insert statement I was wondering if anyone had came across the stripslashes statement when getting text from a password field, and if there is any way to do an SQL injection when this is the case? ie in the PHP language you can get text from a password field

基于SQL注入的反锯齿效果?

可能重复: 防御mysql注入和跨站点脚本的最佳方式 如何在mysql插入语句中包含一个PHP变量 我想知道是否有人在从密码字段获取文本时遇到了stripslashes语句,并且在这种情况下是否有任何方法执行SQL注入? 即在PHP语言中,您可以从网站的密码字段获取文本,并通过stripslashes语句将其删除(')so( ' OR 1=1 -- )变为( OR 1=1 )。 并且使得SQL注入很难做到。 stripslashes从数据中删除斜杠( ),这是转

php

PHP: $SQL = "SELECT goodies FROM stash WHERE secret='" . str_replace("'",'',$_POST['secret']) . "'"; Could an evil genius hacker inject SQL into my SELECT - How ? I've had a think about this for a while and I can't see any way to inject SQL into this statement. An SQL string that starts with a single quotes terminates at the next single quote unless it is escaped with a b

PHP

PHP: $SQL = "SELECT goodies FROM stash WHERE secret='" . str_replace("'",'',$_POST['secret']) . "'"; 一个邪恶的天才黑客可以将SQL注入到我的SELECT中 - 如何? 我已经想了一会儿,我看不出有什么办法可以将SQL注入到这个语句中。 以单引号开头的SQL字符串在下一个单引号处终止,除非使用反斜线或其他引号( '或'' )进行转义。 由于您要删除所有单引号,因此不能有加倍的引号。 如果你逃

PHP: Is mysql

Is mysql_real_escape_string sufficient for cleaning user input in most situations? ::EDIT:: I'm thinking mostly in terms of preventing SQL injection but I ultimately want to know if I can trust user data after I apply mysql_real_escape_string or if I should take extra measures to clean the data before I pass it around the application and databases. I see where cleaning for HTML chars is

PHP:是mysql

在大多数情况下, mysql_real_escape_string是否足以清除用户输入? ::编辑:: 我主要想的是防止SQL注入,但我最终想知道在应用mysql_real_escape_string之后是否可以信任用户数据,或者在应用程序和数据库传递之前,我应该采取额外措施来清理数据。 我看到清除HTML字符的位置很重要,但我不认为需要信任用户输入。 ? mysql_real_escape_string在所有情况下都不够用,但它绝对是非常好的朋友。 更好的解决方案是使

mysql: works ok in console, in php will not access data

connecting either as root or regular user, everything works fine from mysql console on php, connects fine, set schema fine, but will not pull data from schema. // connect and set schema $_db = mysql_connect( '127.0.0.1', 'root', '*******' ); mysql_select_db( 'suangao' ); echo "schema = ".db_get_col("select database()"); // => schema = suangao // non-table query $result = mysql_query( "select

mysql:在控制台中正常工作,php不会访问数据

以root用户或普通用户身份连接,从mysql控制台一切正常 在PHP上,连接好,设置架构好,但不会从架构拉数据。 // connect and set schema $_db = mysql_connect( '127.0.0.1', 'root', '*******' ); mysql_select_db( 'suangao' ); echo "schema = ".db_get_col("select database()"); // => schema = suangao // non-table query $result = mysql_query( "select 1" ); echo "rows 1 = ".mysql_num_rows($result); // => row

Connecting to MySQL/sqlbuddy PHP

Hi I'm havving trouble getting my code to connect to my sql. I am creating in aptana with a wamp stack. When running the web page only displays cannot connect to DB: mysql_error(). " ); mysql_select_db ("q4u!") or die ("cannot select db"); echo " Connected! "; $INSERT_sql = "insert into customer (cust_Fname, cust_Lname, cust_Phone, cust_alt_phone

连接到MySQL / sqlbuddy PHP

嗨,我很难让我的代码连接到我的SQL。 我正在用一个压缩栈创建aptana。 运行网页时只显示 无法连接到DB:mysql_error()。 “); mysql_select_db(”q4u!“)或死(”无法选择数据库“);回声”连接! “; $ INSERT_sql =”插入客户(cust_Fname,cust_Lname,cust_Phone,cust_alt_phone,cust_Email,cust_notification_preference)VALUES('$ _POST [firstname]','$ _ POST [lastname]','$ _ POST [

How to insert data in a table with a foreign key?

I have a problem inserting data into a table that has a foreign key using PHP. I have a table named CUSTOMER_INFORMATION with fields customer_no(PK), first_name, last_name, etc..) and a CATERING_RESERVATION table with fields catering_no(PK), type_of_event, number_of_persons, customer_no(FK), etc... I want to insert the customer_no in the CATERING_RESERVATION table but I have this error: Can

如何使用外键在表中插入数据?

将数据插入使用PHP的外键的表中有问题。 我有一个名为CUSTOMER_INFORMATION的表,其中包含字段customer_no(PK),first_name,last_name等)和CATERING_RESERVATION表,其中的字段为catering_no(PK),type_of_event,number_of_persons,customer_no(FK)等等。 我想在CATERING_RESERVATION表中插入customer_no ,但是我有这个错误: 无法添加或更新子行:外键约束失败(`thesis / catering_reservation`,CONSTRAINT`