MySQL的真正轉義字符串解決SQL注入明確

Question

我想知道如果我添加mysql_real_escape_string我的變量足以解決SQL注入

$get_id = "select * from `book` where id='".$mysqli->real_escape_string($id)."' limit 1"; 

Answer 1

不，事實並非如此。使用預準備的語句

你將不得不做這樣的事情：

// Your connection settings 
$connData = ["localhost", "user", "pass", "database"]; 

$conn = new mysqli($connData[0], $connData[1], $connData[2], $connData[3]); 
$conn->set_charset("utf8"); 

if ($conn->connect_error) { 
    die("Connection failed: " . $conn->connect_error); 
} 

// Here we explain MySQL which will be the query 
$stmt = $conn->prepare("select * from book where id=? limit 1"); 

// Here we tell PHP which variable hash de "?" value. Also you tell PHP that $id has an integer ("i") 
$stmt->bind_param("i", $id); 

// Here we bind the columns of the query to PHP variables 
$stmt->bind_result($column1, $column2, ...); // <--- Whichever columns you have 

// Here we execute the query and store the result 
$stmt->execute(); 
$stmt->store_result(); 

// Here we store the results of each row in our PHP variables ($column1, column2, ...) 
while($stmt->fetch()){ 
    // Now we can do whatever we want (store in array, echo, etc) 
    echo "<p>$column1 - $column2 - ...</p>"; 
} 

$stmt->close(); 
$conn->close();