我一直在研究PHP扩展的PDO样式,以安全的方式进行MySQL查询。我想知道我是否正确地做到了这一点,我可以相信它是安全的MySQL注入等?任何确认或更正将不胜感激!
<?php
$nametosearch=$_POST['nametosearch'];// Is "Billy"
$db = new PDO('mysql:host='.HOST.'; dbname='.DBNAME, DBUSER, DBPASSWORD);//the all caps are PHP constants.
$query = "SELECT * FROM ".DBNAME.".sometable WHERE username=".$db->quote($nametosearch)." ORDER BY lastname ASC;";
$result = $db->query($query);
while($row = $result->fetch(PDO::FETCH_ASSOC)) {
//Do some stuff with results
}
$result->closeCursor();
$db = null;
?>
这不是你建立查询的好方法,你应该使用准备好的语句,以确保安全:
<?php
$nametosearch=$_POST['nametosearch'];// Is "Billy"
$db = new PDO('mysql:host='.HOST.'; dbname='.DBNAME, DBUSER, DBPASSWORD);//the all caps are PHP constants.
$statement = $db->prepare("SELECT * FROM ".DBNAME.".sometable WHERE username=":username" ORDER BY lastname ASC;");
$statement->execute(array(':username', $nametosearch));
//....
?>
这是使用PDO进行DB查询的安全方式。