如果使用准备好的PHP / MySQL查询,我是否需要清理输入?
发布时间:2020-12-13 13:53:33 所属栏目:PHP教程 来源:网络整理
导读:鉴于以下代码,我是否需要逃离并消毒$city? ?php$mysqli = new mysqli("localhost","my_user","my_password","world");/* check connection */if (mysqli_connect_errno()) { printf("Connect failed: %sn",mysqli_connect_error()); exit();}$city = "Amer
|
鉴于以下代码,我是否需要逃离并消毒$city?
<?php
$mysqli = new mysqli("localhost","my_user","my_password","world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %sn",mysqli_connect_error());
exit();
}
$city = "Amersfoort";
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
/* bind parameters for markers */
$stmt->bind_param("s",$city);
/* execute query */
$stmt->execute();
/* bind result variables */
$stmt->bind_result($district);
/* fetch value */
$stmt->fetch();
printf("%s is in district %sn",$city,$district);
/* close statement */
$stmt->close();
}
/* close connection */
$mysqli->close();
?>
使用准备好的查询时,是否需要清理任何输入?
不,你不必为了注射保护而逃避它或消毒它.对于其他应用程序特定的东西,您可能会消毒它.
我前面有一个类似的问题: mysqli_stmt_bind_param SQL Injection (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |