创建 PHP 准备好的语句的正确方法?
Proper way to create PHP prepared statement?
我是新手 PHP
目前正在构建我的第一个网络应用程序!
我创建了这个 PHP 脚本来注册/注册我的网络应用程序,
我希望它能防止 SQL 注入
所以我在这里需要一些指导,我都是从零开始自学的!
所以我决定利用我所阅读和学到的东西。
这是我的代码:
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";
// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);
// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);
$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);
// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname,
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES ('?', '?', '?', '?', '?', '?', '?')");
$stmt->bind_param('s', 's', 's', 's', 'i', 's', 'i', $firstname,
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();
$linking->close();
您的 prepare() 语句看起来应该有效...
也正如 Alex Howansky 所说:
不要依赖 real_escape_string() 函数来防止 SQL 注入,仅靠它们是不够的。您应该通过 mysqli 或 PDO 使用带有绑定参数的准备好的语句。这个 post 有一些很好的例子。
参考:How can I prevent SQL injection in PHP?
您还必须删除问号周围的单引号...
试试这个:
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";
// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);
// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);
$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);
// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname,
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('ssssisi', $firstname,
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();
$linking->close();
这是更新后的查询:
INSERT INTO $selected_table (userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)
如果您需要有关准备语句的更多帮助,请查看此 link:
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
如果您刚刚开始,我建议您使用 PDO 而不是旧的 mysqli 接口。它更简洁,更易于使用。您的代码如下所示:
<?php
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
// Create connection
$linking = new PDO("mysql:host=$server;dbname=$selected_db", $user, $pass);
// Saving data to db - table
$query = "
INSERT INTO usersbio
(userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)";
$params = [
$_POST["firstname"],
$_POST["lastname"],
password_hash($_POST["userpass"], PASSWORD_DEFAULT),
$_POST["useremail"],
$_POST["userdobd"],
$_POST["userdobm"],
$_POST["userdoby"],
];
$stmt = $linking->prepare($query);
$stmt->execute($params);
$linking->close();
我是新手 PHP
目前正在构建我的第一个网络应用程序!
我创建了这个 PHP 脚本来注册/注册我的网络应用程序, 我希望它能防止 SQL 注入 所以我在这里需要一些指导,我都是从零开始自学的!
所以我决定利用我所阅读和学到的东西。
这是我的代码:
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";
// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);
// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);
$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);
// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname,
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES ('?', '?', '?', '?', '?', '?', '?')");
$stmt->bind_param('s', 's', 's', 's', 'i', 's', 'i', $firstname,
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();
$linking->close();
您的 prepare() 语句看起来应该有效...
也正如 Alex Howansky 所说:
不要依赖 real_escape_string() 函数来防止 SQL 注入,仅靠它们是不够的。您应该通过 mysqli 或 PDO 使用带有绑定参数的准备好的语句。这个 post 有一些很好的例子。
参考:How can I prevent SQL injection in PHP?
您还必须删除问号周围的单引号...
试试这个:
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";
// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);
// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);
$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);
// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname,
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('ssssisi', $firstname,
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();
$linking->close();
这是更新后的查询:
INSERT INTO $selected_table (userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)
如果您需要有关准备语句的更多帮助,请查看此 link:
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
如果您刚刚开始,我建议您使用 PDO 而不是旧的 mysqli 接口。它更简洁,更易于使用。您的代码如下所示:
<?php
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
// Create connection
$linking = new PDO("mysql:host=$server;dbname=$selected_db", $user, $pass);
// Saving data to db - table
$query = "
INSERT INTO usersbio
(userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)";
$params = [
$_POST["firstname"],
$_POST["lastname"],
password_hash($_POST["userpass"], PASSWORD_DEFAULT),
$_POST["useremail"],
$_POST["userdobd"],
$_POST["userdobm"],
$_POST["userdoby"],
];
$stmt = $linking->prepare($query);
$stmt->execute($params);
$linking->close();