问题描述
我发现有必要在一个我所知甚少的领域中工作.我必须保护一个使用大约20个MySQL SELECT调用向网站访问者提供信息的网站数据库.呼叫全部采用以下形式:
I am finding it necessary to work in an area that I have very little knowledge in. I have to secure a website database that uses about 20 MySQL SELECT calls to supply information to website visitors. The calls all take the form of:
$leadstory = "-1";
if (isset($_GET['leadstory'])) {
$leadstory = $_GET['leadstory'];
}
$query_News = "SELECT * FROM news WHERE lead_story = $leadstory";
$News = mysql_query($query_News, $HDAdave) or die(mysql_error());
$row_News = mysql_fetch_assoc($News);
$totalRows_News = mysql_num_rows($News);
在上一篇文章中,我问这些SELECT语句是否容易受到sql插入攻击.大家可能都知道答案是肯定的.我已经阅读并理解我需要使用mysqli以及类似以下的内容:
In a previous post I asked if these SELECT statements were vulnerable to sql insertion attacks. The answer was yes as you all probably know. I have done some reading and understand that I need to use mysqli and something like the following:
$statement = $db_connection->prepare("SELECT * FROM news WHERE lead_story = ?;';");
$statement->bind_param("s", $leadstory);
$statement->execute();
$row_News = $statement->fetchAll();
我有几个问题.
-
如果连接失败,我是否需要输入"或死"类型的行?
如何分配 $ totalRows_News ?
我还需要使用mysql_real_escape_string"清理" $leadstory变量吗?
Do I also need to "clean" the $leadstory variable with mysql_real_escape_string?
推荐答案
使用PDO将使您的生活更加轻松
Using PDO would make your life so much easier
$pdo = new PDO(...);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare('SELECT * FROM news WHERE lead_story = ?');
$stmt->bindParam(1, $leadStory);
$stmt->execute();
$allRows_News = $stmt->fetchAll();
$totalRows_News = count($allRows_News);
这篇关于正确准备语句的语法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!