PHP: Prepared statements (newbie), just need to confirm this about SQL injection

2018-05-31 17:52:54

I have long used the mysql_query() to do my stuff but now I am shifting to prepared statements for two reasons:
performance and no sql injection possibility

This is how I am using it:

function add_new_user($e_mail1,$username,$pass)
    {
    require_once "db.php";

$stmt = $mysqli->prepare("INSERT INTO un_users VALUES ('',?, ?,0,0,?,0)");
$stmt->bind_param('sss', $e_mail1, $username,$pass); 

$stmt->execute();    
$stmt->close();
    }

I am not sanitizing the three variables ($e_mail1,$username,$pass) when i pass them to the function or anything else.

Am I doing it the correct way or did I screw up somewhere or need to do something else? I'm a newbie with this (still going through the docs) so feel free to shower your knowledge :D

Thanks!

是的，你做得对。

链接地址: http://www.djcxy.com/p/7802.html

上一篇: 如何在Selenium的open（）之前创建cookie

下一篇: PHP：Prepared语句（新手），只需要确认这一点关于SQL注入