-2

I know that PDO prepared statements should be used to avoid SQL injection. Must it always have this format:

$stmt = $db->prepare('SELECT * FROM table where id = :id');
$stmt->execute( array(':id' => $_GET['id']) );

or will any of the following formats negate SQL injection too?

VERSION 1

$queryString = "SELECT * FROM table WHERE id = ".$_GET['id'];
$stmt= $db->prepare($queryString);  
$stmt->execute();
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);

VERSION 2

$stmt = $db->query("SELECT * FROM table WHERE id = ".$_GET['id']);
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);
4

1 回答 1

1

您必须像在第一个代码中那样绑定变量。Version 1Version 2代码都是不安全的。

于 2013-06-13T03:21:45.760 回答