0

我真的只是想检查这个语句的语法,并确保它是一个不受 sql 注入的语句。谁能帮我检查一下并告诉我?

$lookupusername= $conn->prepare('SELECT * FROM users WHERE ID =":userId"');
$lookupusername->bindParam(':userId', $userid, PDO::PARAM_STR, 12);
$row = $lookupusername->fetch();
$username = $row['username'];
$usercountry = $row['country'];
if ($username == ""){
header('Location: index.php');
}

还有这样的说法:

$sql = $conn->query('SELECT description, city, status, state, country, needsusername, howmanypeopleneeded, howmanypeoplesignedup, needs.orgname, needs.ID, titleofneed, expiredate, datesubmitted, datetime FROM needs INNER JOIN follow ON follow.followname = needs.needsusername WHERE follow.username=' . $conn->quote($username) . ' AND needs.christmas="0" AND needs.status="posted" ORDER BY datesubmitted DESC');
while ($frows = $sql->fetch()) {

最终代码:

$lookupusername= $conn->prepare('SELECT * FROM users WHERE ID=:userid');
$lookupusername->bindParam(':userid', $userid);
$lookupusername->execute();
$row = $lookupusername->fetch();
$username = $row['username'];
$usercountry = $row['country'];

我没有执行准备好的语句。

4

1 回答 1

3

我会推荐conn->[execute][1]而不是[query][2]. 因为这将是一个真正准备好的陈述,而不是你需要逃避的陈述。

SELECT * FROM users WHERE ID =:userID

然后做: 

bindParam(':userId', $userId, PDO::PARAM_STR, 12);

就恶意内容而言,假设我传递给您一个userId如下所示的内容: 

<script>alert('Hi')</script>

现在还假设您将我的 userId 显示给管理员或其他用户。我可能会注入稍后执行的恶意代码。因此,您仍然必须注意确保正确转义返回给用户的数据。但在大多数情况下,绑定参数会阻止任意 SQL 执行。

功能代码: 

$sql= $conn->prepare('SELECT * FROM users WHERE ID =:userID');
$sql->bindParam(':userId', $userId, PDO::PARAM_STR, 12);
于 2013-09-10T21:12:13.280 回答