我已經閱讀了很多關於sql注入的信息,並且瞭解它是如何導致問題的(例如:DROP TABLE _ _ etc)。但我不確定我所遵循的教程實際上是如何防止這種情況發生的。我只是在學習PDO,我想我理解它。不太瞭解SQL注入
此代碼是否對SQL注入安全?爲什麼? (這需要用這些準備好的發言,所以我要確保我不只是浪費我的時間相當多的工作 - !此外,如果代碼可以改進,請讓我知道)
$conn = new PDO("mysql:host=$DB_HOST;dbname=$DB_DATABASE",$DB_USER,$DB_PASSWORD);
// Get the data
$firstname = $_POST["v_firstname"];
$lastname = $_POST["v_lastname"];
$origincountry = $_POST["v_origincountry"];
$citizenship = $_POST["v_citizenship"];
$gender = $_POST["v_gender"];
$dob = $_POST["v_dob"];
$language = $_POST["v_language"];
$landing = $_POST["v_landing"];
$email = $_POST["v_email"];
$phone = $_POST["v_phone"];
$cellphone = $_POST["v_cellphone"];
$caddress = $_POST["v_caddress"];
$paddress = $_POST["v_paddress"];
$school = $_POST["v_school"];
$grade = $_POST["v_grade"];
$smoker = $_POST["v_smoker"];
$referred = $_POST["v_referred"];
$notes = $_POST["v_notes"];
//Insert Data
$sql = "INSERT INTO clients (firstname, lastname, origincountry, citizenship, gender, dob, language, landing, email, phone, cellphone, caddress, paddress, school, grade, smoker, referred, notes)
VALUES (:firstname, :lastname, :origincountry, :citizenship, :gender, :dob, :language, :landing, :email, :phone, :cellphone, :caddress, :paddress, :school, :grade, :smoker, :referred, :notes)";
$q = $conn->prepare($sql);
$q->execute(array(':firstname'=>$firstname,
':lastname'=>$lastname,
':origincountry'=>$origincountry,
':citizenship'=>$citizenship,
':gender'=>$gender,
':dob'=>$dob,
':language'=>$language,
':landing'=>$landing,
':email'=>$email,
':phone'=>$phone,
':cellphone'=>$cellphone,
':caddress'=>$caddress,
':paddress'=>$paddress,
':school'=>$school,
':grade'=>$grade,
':smoker'=>$smoker,
':referred'=>$referred,
':notes'=>$notes));
當您使用預處理語句,SQL引擎可以獨立於動態輸入解析查詢 - 用戶輸入無法再改變的意義查詢。 – DCoder
我認爲這是。當你將用戶輸入連接到SQL語句時發生SQL注入:就像''SELECT * FROM users WHERE id ='+ id';'因爲用戶輸入('id'在這裏)可能是有害的(例如:'id ='1; DROP TABLE users';') – 2012-09-02 05:50:30
另請參閱http://en.wikipedia.org/wiki/SQL_injection – 2012-09-02 05:50:53