Prepared Statements and SQL Injection

This question already has an answer here:

  • Are PDO prepared statements sufficient to prevent SQL injection? 7 answers
  • How can I prevent SQL injection in PHP? 28 answers

  • Simple answer, no. SQL injection involves inputting strings that are used as part of the SQL control itself rather than values for a part of the query. By parameterizing the query, you essentially cordon off the variable, which covers the cases protected by *_escape_string calls and is more secure.

    链接地址: http://www.djcxy.com/p/93754.html

    上一篇: PDO是否准备了足够的语句

    下一篇: 准备好的语句和SQL注入