SELECT within SELECT PDO prepared statement

This question already has an answer here:

Are PDO prepared statements sufficient to prevent SQL injection? 7 answers

---

To clear any confusion, what i'm doing is this:

$pdo = new PDO('..'); $sql = 'SELECT id FROM users WHERE username = :username'; $statement = $pdo->prepare($sql); $statement->bindParam(':username', $_POST['username']);

Question is, what if $_POST['username'] contains 'SELECT * FROM users' (or any other query) ?

This query would return the ids of all users with the username "SELECT * FROM users".

By passing $_POST['username'] as parameter the database knows that whatever string $_POST['username'] may contain it is NOT part of the query. It's just a string.

This prevents SQL injection since the parameter will NOT be executed. This also means that

SELECT name, continent FROM world WHERE continent IN (SELECT continent FROM world WHERE name='Brazil')

the second select acting as the user input parameter - so $_POST['name'] contains this query SELECT continent FROM world WHERE name='Brazil'

won't work. Because you can't include queries in parameters. Well you can but they will not be executed.

链接地址: http://www.djcxy.com/p/93740.html

上一篇: 多INSERT容易注射？

下一篇: 在SELECT PDO准备语句中进行SELECT