开发者

php - mysql avoid sql injections

问答 作者:

I have many functions like

updateUser($id,$username,$email)
updateMusic($id, $music)

etc...

Is there a generic function to avoid SQL injections ?

I just want to avoid us开发者_JS百科ing mysql_real_escape_string for each parameter I have

$username = mysql_real_escape_string($username);
$email= mysql_real_escape_string($email);
$music= mysql_real_escape_string($music);

  • ALWAYS use prepared statements

  • Do NOT use mysql driver, use mysqli or PDO

You should use parameterization and let the database driver handle it for you, i.e. with PDO:

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password); 
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name); 
$stmt->bindParam(':value', $value); 

// insert one row 
$name = 'one'; 
$value = 1; 
$stmt->execute();

Code from Bobby-Tables.

you may use, 

list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))

but prepared statements rocks

No there isn't, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9