本文介绍了mysqli_stmt_bind_param SQL注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
使用准备好的语句和mysqli_stmt_bind_param时,仍有注入风险吗?
Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param?
例如:
$malicious_input = 'bob"; drop table users';
mysqli_stmt_bind_param($stmt, 's', $malicious_input);
mysqli_stmt_bind_param在后台将此查询字符串传递给mysql:
Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql:
SET @username = "bob"; drop table users";
它是通过API执行SET命令还是使用某种类型的保护措施来防止这种情况发生?
Or does it perform the SET command through the API, or use some type of protection to keep this from happening?
推荐答案
它使用C API,因此在这种情况下没有机会进行SQL注入.
It uses the C API, so in this case there is no chance for SQL injection.
这篇关于mysqli_stmt_bind_param SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!