douhui9631 2017-08-28 15:02
浏览 92
已采纳

哪个是在php中绑定param的最好的安全方法[关闭]

which is the best secure way to bind a value ? I know that there are 3 ways

1.

$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->bindParam(':Email', $Email);
$Example->execute();

2.

$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->execute(array(
   ':Email' => $Email,
));

3.

$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->bindParam(':Email', $Email);
$Example->execute(array(
   ':Email' => $Email,
));
  • 写回答

2条回答 默认 最新

  • doukeng7426 2017-08-28 15:10
    关注

    They're all wrong. Since you're separately using quote, the final query will actually be equivalent to (assuming $Email is, say foo@example.com):

    UPDATE Ex SET Email="\"foo@example.com\""
    

    In other words, the quotes become part of the value, which is probably not what you want.

    Either of these will do just fine:

    $Example = $con->prepare('UPDATE Ex SET Email = :Email');
    $Example->execute(array(':Email' => $Email));
    
    $Example=$con->prepare('UPDATE Ex SET Email = :Email');
    $Example->bindParam(':Email', $Email);
    $Example->execute();
    

    Doing both bindParam and passing an array to execute is nonsense, since the latter will simply override the former and bindParam will have been superfluous.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 用51单片机控制急停。
  • ¥15 孟德尔随机化结果不一致
  • ¥15 在使用pyecharts时出现问题
  • ¥15 深度学习残差模块模型
  • ¥50 怎么判断同步时序逻辑电路和异步时序逻辑电路
  • ¥15 差动电流二次谐波的含量Matlab计算
  • ¥15 Can/caned 总线错误问题,错误显示控制器要发1,结果总线检测到0
  • ¥15 C#如何调用串口数据
  • ¥15 MATLAB与单片机串口通信
  • ¥15 L76k模块的GPS的使用