Is my PDO query safe from SQL injection

 

This question already has an answer here:

  • Are PDO prepared statements sufficient to prevent SQL injection? 7 answers

    • 是的 - 当以这种方式使用时,参数化查询对于注入是安全的。

    As long as you use prepared statements properly, you're safe from injection. but as soon as you DIRECTLY insert any external data into a query, even if it's otherwise a prepared statement, eg 

    INSERT INTO $table VALUES (:param)

    you're vulnerable - $table can be subverted in this case, even though you're using a prepared statement.

    Anyone who tells you simply switching mysql->PDO or mysqli will make you safer is a flat out WRONG . You can be just as vulnerable to injection attacks with either library.

    You should also 

    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

    By default it uses emulated mode, which merely does what mysql_real_escape_string does. In some edge cases, you're still vulnerable to SQL injection.

    链接地址: http://www.djcxy.com/p/93736.html

    上一篇: 这个PDO代码是否足够安全的从SQL注入?

    下一篇: 我的PDO查询是否安全的SQL注入