版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/sinat_34828933/article/details/80711964
防止sql注入时,我们可以运用mysqli扩展的预编译来实现
举例说明:
假如在做用户登录时,我们用用户名、密码来实现登录,我们怎么来实现防sql注入(此处只讲mysqli的方法)
假如用户表有user_name,password字段,登录时,我们提交,用户名和密码时,后台处理
$user_name = $params['user_name'];
$password = md5($params['password']);
$db = mysqli_connect('127.0.0.1','root','','webtest','3306');
mysqli_set_charset($db,'utf8');
$sql = 'SELECT id , user_name FROM user WHERE user_name =? AND password = ?';//'?'是占位符
$stmt = mysqli_prepare($db,$sql);//生成具柄
mysqli_stmt_bind_param($stmt,'ss',$user_name,$password);//绑定参数
mysqli_stmt_execute($stmt);//执行sql
mysqli_stmt_bind_result($stmt,$id,$user_name);//绑定结果
mysqli_stmt_fetch($stmt);//遍历结果