我只想驗證在MySQL中使用預準備語句是否可以防止SQL注入。在MySQL中使用預準備語句是否防止SQL注入攻擊?
以下代碼是否會阻止所有SQL注入攻擊?
$var = $_GET['q'];
$trimmed = trim($var);
if ($trimmed != NULL) {
$get_fighters = $DBH->prepare(
'SELECT *
FROM fighters
WHERE name LIKE :searchTerm
OR nickname LIKE :searchTerm
OR born_in_city LIKE :searchTerm
OR born_in_state LIKE :searchTerm
OR born_in_country LIKE :searchTerm
ORDER BY name ASC');
$get_fighters->bindValue(':searchTerm', '%' . $trimmed . '%', PDO::PARAM_STR);
$get_fighters->setFetchMode(PDO::FETCH_ASSOC);
$get_fighters->execute();
$check_results_fighters = $get_fighters->rowCount();
$get_events = $DBH->prepare(
'SELECT *
FROM events
WHERE event_name LIKE :searchTerm
OR event_arena LIKE :searchTerm
OR event_city LIKE :searchTerm
OR event_state LIKE :searchTerm
OR event_country LIKE :searchTerm
OR organization LIKE :searchTerm
ORDER BY event_date DESC');
$get_events->bindValue(':searchTerm', '%' . $trimmed . '%', PDO::PARAM_STR);
$get_events->setFetchMode(PDO::FETCH_ASSOC);
$get_events->execute();
$check_results_events = $get_events->rowCount();
}
可能重複[在PHP中防止SQL注入的最佳方法](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) – outis
從['PDO :: prepare']( http://php.net/PDO.prepare)docs:「在準備好的語句中,不能使用兩次具有相同名稱的命名參數標記。」 (雖然在某些版本的PHP中使用PDO/MySQL驅動程序模擬準備好的語句確實支持重複的名稱,但依靠此名稱並不安全;另請參閱[「php pdo準備重複變量」](http://stackoverflow.com/q/7603896 /)。)始終RTM。 – outis
eeek ..這是否意味着我必須爲每個單獨的參數執行searchTerm1,2,3,4等...儘管它們都具有相同的值? – zen