php - mysql avoid sql injections_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-29 12:24 出处：网络

I have many functions like updateUser($id,$username,$email) updateMusic($id, $music) etc... Is there a generic function to avoid SQL injections ?

相关专题：php

I have many functions like

updateUser($id,$username,$email)
updateMusic($id, $music)

etc...

Is there a generic function to avoid SQL injections ?

I just want to avoid us开发者_JS百科ing mysql_real_escape_string for each parameter I have

$username = mysql_real_escape_string($username);
$email= mysql_real_escape_string($email);
$music= mysql_real_escape_string($music);

ALWAYS use prepared statements
Do NOT use mysql driver, use mysqli or PDO

You should use parameterization and let the database driver handle it for you, i.e. with PDO:

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password); 
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name); 
$stmt->bindParam(':value', $value); 

// insert one row 
$name = 'one'; 
$value = 1; 
$stmt->execute();

Code from Bobby-Tables.

you may use,

list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))

but prepared statements rocks

No there isn't, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script

php - mysql avoid sql injections

精彩评论

关注公众号

热门标签

图文推荐

php - mysql avoid sql injections

更多 问答 相关资讯：

精彩评论

关注公众号

热门标签

图文推荐

更多问答相关资讯：