douhui9631 2017-08-28 15:02
浏览 92
已采纳

哪个是在php中绑定param的最好的安全方法[关闭]

which is the best secure way to bind a value ? I know that there are 3 ways

1.

$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->bindParam(':Email', $Email);
$Example->execute();

2.

$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->execute(array(
   ':Email' => $Email,
));

3.

$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->bindParam(':Email', $Email);
$Example->execute(array(
   ':Email' => $Email,
));
  • 写回答

2条回答 默认 最新

  • doukeng7426 2017-08-28 15:10
    关注

    They're all wrong. Since you're separately using quote, the final query will actually be equivalent to (assuming $Email is, say foo@example.com):

    UPDATE Ex SET Email="\"foo@example.com\""

    In other words, the quotes become part of the value, which is probably not what you want.

    Either of these will do just fine:

    $Example = $con->prepare('UPDATE Ex SET Email = :Email');
$Example->execute(array(':Email' => $Email));

    $Example=$con->prepare('UPDATE Ex SET Email = :Email');
$Example->bindParam(':Email', $Email);
$Example->execute();

    Doing both bindParam and passing an array to execute is nonsense, since the latter will simply override the former and bindParam will have been superfluous.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上
  • ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)
  • ¥15 相敏解调 matlab
  • ¥15 求lingo代码和思路
  • ¥15 公交车和无人机协同运输
  • ¥15 stm32代码移植没反应
  • ¥15 matlab基于pde算法图像修复,为什么只能对示例图像有效
  • ¥100 连续两帧图像高速减法
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据