mysqli 准备好的语句和 mysqli_real_escape_string

我目前正在使用 mysqli php 扩展.

I'm currently using the mysqli php extension.

传统上我使用 mysqli_real_escape_string 来转义用户输入.但是,我正在考虑更改代码(希望以尽可能少的步骤)以使用准备好的语句.

Traditionally I have used mysqli_real_escape_string to escape user input. However I am looking at changing over the code (hopefully in as few steps as possible) to use prepared statements.

我想清楚这一点 - 如果我使用准备好的语句来绑定我的所有变量,我可以确信 sql 注入是不可能的吗?(并完全免除 mysqli_real_escape_string?)

I want to be clear on this - provided I use prepared statements to bind all of my variables, can I be confident that sql injection is impossible? (And dispense completely with mysqli_real_escape_string?)

谢谢

推荐答案

如果您正确绑定所有变量,您可以显着降低 SQL 注入的风险.如果您动态创建 SQL,仍然有可能获得 SQL 注入,例如:

If you correctly bind all your variables you can dramatically reduce the risk of SQL injection. It is still possible to get an SQL injection if you create SQL dynamically for example:

'SELECT * FROM ' . $tablename . ' WHERE id = ?'

但如果你避免这样的事情,你就不太可能遇到问题.

But if you avoid things like this it is unlikely you will have problems.

相关文章