dongrongdao8902 2013-07-23 15:11
浏览 18
已采纳

没有mysql_real_escape_string和bindValue的PDO

I'm relatively new to PDO and i have written the following block of code:

$id = $_GET['id'];

$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');

foreach($db->query("SELECT id,name FROM names where id = '$id' ") as $row) {
    echo "<p>", ($row['name']), "<br>";
}

My uncertainties are:

  1. is it safe to OMIT mysql_real_escape_string in the first line since i'm using PDO
  2. is it safe to run the query as above without using bind values.

Thanks

  • 写回答

2条回答 默认 最新

  • dqqyp90576 2013-07-23 15:16
    关注

    No, this is not safe. PDO doesn't magically escape your queries for you. Your code, as shown, is wide open to SQL injection.

    If you are using variables in your query, don't use ->query. Do not try to escape them yourself. You should be using prepared statements. That's the way to be safe.

    $stmt = $db->prepare('SELECT id,name FROM names where id = ?');
if($stmt->execute(array($id))){
    while($row = $stmt->fetch(PDO::FETCH_ASSOC)){
        echo "<p>", ($row['name']), "<br>";
    }
}

    So, yes, you need to use bindParam, or execute, as shown.

    P.S. mysql_real_escape_string is only for the (deprecated) mysql_ extension. It doesn't work with PDO.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 前端echarts坐标轴问题
  • ¥15 CMFCPropertyPage
  • ¥15 ad5933的I2C
  • ¥15 请问RTX4060的笔记本电脑可以训练yolov5模型吗?
  • ¥15 数学建模求思路及代码
  • ¥50 silvaco GaN HEMT有栅极场板的击穿电压仿真问题
  • ¥15 谁会P4语言啊,我想请教一下
  • ¥15 这个怎么改成直流激励源给加热电阻提供5a电流呀
  • ¥50 求解vmware的网络模式问题 别拿AI回答
  • ¥24 EFS加密后,在同一台电脑解密出错,证书界面找不到对应指纹的证书,未备份证书,求在原电脑解密的方法,可行即采纳