mysql参数化查询的原理是怎样的?例子,php怎么实现?
展开全部
参数化查询是指在设计与数据库连结并访问数据时,在需要填入数值或数据的地方,使用参数 来给值,这个方法目前已被视为最有效可预防SQL注入攻击的攻击手法的防御方式。
$query=sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
或是
$db=new mysqli("localhost","user","pass","database");
$stmt=$mysqli->prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt->bind_param("ss",$user,$pass);
$stmt->execute();
$query=sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
或是
$db=new mysqli("localhost","user","pass","database");
$stmt=$mysqli->prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt->bind_param("ss",$user,$pass);
$stmt->execute();
更多追问追答
追问
$mysqli->prepare中的$mysql是$db=new mysqli("localhost","user","pass","database")?
在mysql命令端要怎么写?
追答
mysqli是PHP的一个扩展,在终端用mysql -u username -p
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
