For database security do I need to do BOTH binding parameters in a prepared statement AND mysql_real_escape_string() on the input?
Thanks!
PHP Mysqli - 参数绑定AND escape_string?
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
分享- 邀请回答
-
1条回答 默认 最新
- douhuo3696 2013-03-05 00:47关注
No, parameterised queries are fine on their own. As long as you keep all variable data in parameters, passed separately from the query, they can be picked up without any escape/unescape handling.
You shouldn't blanket-escape at the input phase in general - you don't know what kinds of escape (SQL, HTML, JS, ...) you're going to need until the point you actually inject a value into one of those string contexts. Applying all kinds of escapes over all input data will only lead to mangled and inconsistent input handling.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报 分享
- 2013-03-04 23:26回答 1 已采纳 No, parameterised queries are fine on their own. As long as you keep all variable data in paramete
- 2016-03-07 18:37回答 1 已采纳 You might be better off using prepared statements, but to the question, pass an array of object an
- 2015-11-27 13:34回答 3 已采纳 mysqli_real_escape_string($username) is missing a required parameter The usage of mysqli_real_esc
- 2021-04-26 10:49君子心理的博客 此mysqli_query命令导致以下错误mysqli_query("INSERT INTO `counter`.`hits` (`page_hits`) VALUES ('".$hits."')");Warning: mysqli_query() expects at least 2 parameters, 1 given in此错误消息是什么意思,...
- 2016-07-13 06:05回答 1 已采纳 ["Inventory"]=> array(0) { } Your problem is that your data contains an array, which ca
- 2014-04-25 12:14回答 4 已采纳 This is safe. If you dont feel safe, it only has characters and integers, you can easily test it i
- 2013-05-28 08:04回答 1 已采纳 You are using a mysql RESERVED KEYWORD in your query that is key, simply surround it with backtick
- 2020-12-21 20:27weixin_39860064的博客 php操作mysqli(示例代码)更新时间:2013年10月28日 08:56:20 作者:php操作mysqli的示例代码。需要的朋友可以过来参考下,希望对大家有所帮助define("MYSQL_OPEN_LOGS",true);class mysqliHelp{private $db;public ...
- 2012-11-18 15:48回答 2 已采纳 According to PHP Manual on mysqli and prepared statements: Escaping and SQL injection Bou
- 2019-03-04 10:58回答 5 已采纳 You are wrong to pass parameters to the mysqli_real_escape_string () function before inserting the
- 2016-08-30 17:57回答 3 已采纳 I think you want this <?php $con=mysqli_connect("localhost","my_user","my_password","my_db");
- 2021-04-20 13:23weixin_39932300的博客 我正在将当前未受保护的查询更新为参数化查询,以防止受到SQL注入.我花了几个小时试图对这个...)之前工作$storeName = mysqli_real_escape_string($conn,$_GET['store']);$query = "SELECT * FROM stores WHERE stor...
- 2015-10-02 09:32回答 1 已采纳 Your parameters are in the wrong order, read the documentation again. For example: $username = my
- 2022-08-21 13:01allway2的博客 这可能看起来很奇怪,为...需要注意的是,这需要 mysqlnd,它从 5.3 开始就包含在 PHP 中,并且从 5.4 开始一直是默认的本地驱动程序,MySQLi 独有的一个很棒的功能,在 PDO 中不存在,它可以获取有关查询的更多信息。
- 2021-02-07 22:54miao君的博客 前言本文章主要以后端PHP和MySQL数据库为例,参考了多篇文章后的集合性文章,欢迎大家提出个人见解,互促成长。一、 PHP几种防御姿势1、关闭错误提示说明:PHP配置文件php.ini中的display_errors=Off,这样就关闭了...
- 2021-01-18 21:50彭迅鹏xp的博客 我目前正在使用不推荐使用的代码来从用户那里获取数据,如下所示: /* retrieve */ $lastName = $_POST['lastName']; $firstName = $_POST['firstName'];...例如,仅针对INSERT的参数绑定和仅针对SELECT的结果绑定吗?
- 2024-04-29 20:382401_84248681的博客 由于php是弱类型语言,会使用这个函数来判断一下。min,max生成随机整数延迟执行当前脚本若干秒检测变量是否已设置并且非 NULLmessage输出一条消息,并退出当前脚本。可以用于md5相等,但两值不相等的情况、sha1()和...
- 2021-03-04 08:07大菲哥 艺术留学的博客 mysqli_error -返回一个字符串描述过去的错误 mysqli_escape_string -别名mysqli_real_escape_string () mysqli_execute -别名mysqli_stmt_execute () mysqli_fetch_array -从结果集中取得一行作为关联,数字...
- 2021-02-08 11:10打不死的little强的博客 通过 PHP Mysqli 扩展与 MySQL 数据库交互由 学院君 创建于8个月前, 最后更新于 6个月前版本号 #11269 views0 likes0 collects引言前面学院君给大家简单介绍了如何在本地安装 MySQL 以及通过命令行和 GUI 客户端软件...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 Matlab在app上输入带有矩阵形式的初始条件发生错误
- ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
- ¥15 误删注册表文件致win10无法开启
- ¥15 请问在阿里云服务器中怎么利用数据库制作网站
- ¥60 ESP32怎么烧录自启动程序
- ¥50 html2canvas超出滚动条不显示
- ¥15 java业务性能问题求解(sql,业务设计相关)
- ¥15 52810 尾椎c三个a 写蓝牙地址
- ¥15 elmos524.33 eeprom的读写问题
- ¥15 用ADS设计一款的射频功率放大器