防止sql注入时,我们可以运用mysqli扩展的预编译来实现
举例说明:
假如在做用户登录时,我们用用户名、密码来实现登录,我们怎么来实现防sql注入(此处只讲mysqli的方法)
假如用户表有user_name,password字段,登录时,我们提交,用户名和密码时,后台处理
- $user_name = $params['user_name'];
- ?$password = md5($params['password']);
- $db = mysqli_connect('127.0.0.1','root','','webtest','3306');
- mysqli_set_charset($db,'utf8');
- $sql = 'SELECT id , user_name FROM user WHERE user_name =? AND password = ?';//'?'是占位符
- $stmt = mysqli_prepare($db,$sql);//生成具柄
- mysqli_stmt_bind_param($stmt,'ss',$user_name,$password);//绑定参数
- mysqli_stmt_execute($stmt);//执行sql
- mysqli_stmt_bind_result($stmt,$id,$user_name);//绑定结果
- mysqli_stmt_fetch($stmt);//遍历结果
|
