Can I fully prevent SQL injection by PDO Prepared statement without bind

I am very new to PDO, sorry if you feel I am asking stupid question. Normal and simple PDO Prepared statement without Bind_param : $sql = $db->prepare('SELECT * FROM employees WHERE name = ?'); $sql->execute(array($name)); $rows = $sql->fetchAll(); with Bind_param : $sql->bind_param("s", $name); //s means the database expects a string I heard people said : "The protection c

我可以通过PDO Prepared语句完全防止SQL注入,无需绑定

我对PDO非常陌生,如果你觉得我在问一个愚蠢的问题,对不起。 普通和简单的PDO Prepared statement without Bind_param : $sql = $db->prepare('SELECT * FROM employees WHERE name = ?'); $sql->execute(array($name)); $rows = $sql->fetchAll(); 与Bind_param : $sql->bind_param("s", $name); //s means the database expects a string 我听到人们说: “保护来源于使用绑定参数,而不是使用准备好的语

PHP PDO: how to prevent javascript and html tags injection

I am using following script to update some data in MYSQL table, for that i am taking data from user. But it is not preventing from javascript and html tags. $attri= //containing field name like ("name=?, email=?") $value= //containing corresponding values like ("john", "email@exam.com") $sql_pro = "UPDATE regist SET ".$attri." WHERE user_id = ".$_SESSION['user_id']; $stmt_pro = $db->

PHP PDO:如何防止javascript和html标签注入

我正在使用以下脚本来更新MYSQL表中的一些数据,为此我正在从用户处获取数据。 但它并不妨碍JavaScript和html标签。 $attri= //containing field name like ("name=?, email=?") $value= //containing corresponding values like ("john", "email@exam.com") $sql_pro = "UPDATE regist SET ".$attri." WHERE user_id = ".$_SESSION['user_id']; $stmt_pro = $db->prepare($sql_pro); $i=1; foreac

Are PDO statements automatically escaped?

Are PHP PDO statements automatically escaped, or only prepared statements? For example, assume that $username and $password are user inputs. Is the following code secure, or is it vulnerable to injection? $dbh = new PDO("mysql:host=localhost;dbname=mydb", $my_mysql_username, $my_mysql_password); $sth = $dbh->query("SELECT * FROM users WHERE username='$username' AND password='$password'");

PDO语句是否自动转义?

PHP PDO语句是自动转义还是只准备语句? 例如,假设$username和$password是用户输入。 下面的代码是否安全,还是易受注入? $dbh = new PDO("mysql:host=localhost;dbname=mydb", $my_mysql_username, $my_mysql_password); $sth = $dbh->query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $result = $sth->fetch(); if(!$result){ $dbh->exec("INSERT INTO users (username,

Prepared Statements and SQL Injection

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers How can I prevent SQL injection in PHP? 28 answers Simple answer, no. SQL injection involves inputting strings that are used as part of the SQL control itself rather than values for a part of the query. By parameterizing the query, you essentially cordon off the variable,

准备好的语句和SQL注入

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 我如何防止PHP中的SQL注入? 28个答案 简单的答案,不。 SQL注入包括输入用作SQL控件本身一部分的字符串,而不是查询部分的值。 通过参数化查询,您基本上将变量覆盖掉了,该变量覆盖受* _escape_string调用保护的情况,并且更安全。

Is sanitizing data + parameterisation in PDO oveekill?

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers There are three possible answers to this question. If your concern is SQL injection only, and whole SQL query is hardcoded in PHP script (like in your example), then nothing but prepared statement is needed. And thus sanitize_string is overkill and rather irrelevant. If y

正在消毒PDO oveekill中的数据+参数化?

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 这个问题有三种可能的答案。 如果您只关注SQL注入,并且整个SQL查询在PHP脚本中进行了硬编码(如您的示例中所示),则只需要准备好语句。 因此sanitize_string是过度杀伤性的,而且是无关紧要的。 如果您只关注SQL注入,并且动态组合一些SQL部分,则必须保护这些部分。 但是保护应该是特定于这些部分的,这使得sanitize_string相当无用。

using prepared statements

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers To the best of my knowledge, it is virtually impossible to SQL inject PDO (Or at least i have not heard of a way to do so). Even if you use mysql_real_escape then you risk there being some tiny unknown bug in the function or a few cases where the function fails. The way PDO

使用准备的语句

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 据我所知,SQL注入PDO几乎是不可能的(或者至少我还没有听说过这样做)。 即使你使用mysql_real_escape,你仍然有可能在函数中出现一些微小的未知错误,或者在函数失败的情况下。 PDO的工作方式是,它首先“准备”,它列出了要做的事情,并列出了操作和作品。 然后它带来你输入的东西。 SQL注入通过进入查询进行工作 简而言之, $query = "I

Can this prepared statement prevent SQL injection?

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers Yes it will prevent SQL injection because Prepared statements uses bound parameters. Prepared Statements do not combine variables with SQL strings, so it is not possible for an attacker to modify the SQL statement. Prepared Statements combine the variable with the compil

这个准备语句可以防止SQL注入吗?

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 是的,它会阻止SQL注入,因为 编写的语句使用绑定参数。 准备好的语句不会将变量与SQL字符串组合在一起,因此攻击者无法修改SQL语句。 Prepared Statements将变量与已编译的SQL语句组合在一起,这意味着SQL和变量是分开发送的,变量只是被解释为字符串,而不是SQL语句的一部分。

Is this code using PDO secure?

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers Shoud I use addParam before execution method? No. Passing a variable into execute does pretty the same. There could be other issues though, you can read on them here

此代码是否使用PDO安全?

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 我在执行方法之前使用addParam? 没有。 将一个变量传递给execute可以完全相同。 可能还有其他问题,你可以在这里阅读

Securing From SQL Injection With PDO API?

Possible Duplicate: Are PDO prepared statements sufficient to prevent SQL injection? my main concern with rolling out a new API Which I have been working on for a few days is the Security. I'm a beginner to the PDO usage, but know the main structure. but I have no idea on how to protect the query from SQLInjection. My code is Listed below:

使用PDO API保护SQL注入?

可能重复: PDO准备的语句是否足以防止SQL注入? 我推出一个新的API的主要担忧是安全。 我是PDO用法的初学者,但知道主要结构。 但我不知道如何保护来自SQLInjection的查询。 我的代码如下: dbh = new PDO('mysql:host=localhost;dbname=pdo', 'root', 'x

Multiple INSERT vulnerable to injection?

This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers I was wondering whether doing a multiple insert has effect on the vulnerability for a MySQL injection? Because I 'build' the query using PHP code. Well, in the real life we cannot avoid manual query building, thus it's all right to create a query or two dynamica

多INSERT容易注射?

这个问题在这里已经有了答案: PDO准备的语句是否足以防止SQL注入? 7个答案 我想知道是否多次插入对MySQL注入漏洞有影响? 因为我'使用PHP代码构建'查询。 那么,在现实生活中,我们无法避免手动查询构建,因此可以动态创建一个或两个查询。 在这种情况下,必须遵循的唯一规则是所有查询部分都必须在脚本中进行硬编码 。 只要遵循,就不可能有任何注射。 在你的情况下,所有的查询部分都是硬编码的,因此