- 在找 PDO 在 SQL injection 方面的資料時找到的網站 Cluesheet.com,開宗明義,第一句就講了:
Do use PDO parameters over SQL values to avoid SQL injection.
,可是沒說HOW and WHY…(汗)。 - 所以小實驗了一下,發現 bindParam() 有像 mysql_real_escape_string() 的效果。
$dbh = new PDO(DB_DSN, DB_USER, DB_PASSWORD); $sql_find_repeat = 'SELECT COUNT(*) FROM `table_name` WHERE `col_name` = ?;'; $sth = $dbh->prepare($sql_find_repeat); $sth->bindParam(1, $value, PDO::PARAM_STR); $sth->execute();
歡迎來到小豬圈!
2007-06-05
使用 PDO parameters 來避免 SQL injection
Subscribe to:
Post Comments (Atom)
個人常用鏈結
Labels
- .NET (1)
- Accessibility (3)
- ADSL (1)
- Apache (9)
- ASP.NET (1)
- Babyer (1)
- Browser (1)
- Canon MX700 (1)
- CAPTCHA (1)
- CentOS (1)
- CSS (7)
- DB:SQL (1)
- DB:SQLite (2)
- DNS (3)
- English (1)
- EXIF (1)
- filename.ext (1)
- Firefox (4)
- Firewall (1)
- Flash (4)
- Game 遊戲 (28)
- Game:PC (6)
- Game:PS3 (4)
- Game:Xbox360 (3)
- GNU (1)
- Google (6)
- Google:Android (8)
- Google:Blogger (2)
- Google:Chrome (1)
- Google:Code (2)
- GoogleAppEngine (2)
- GoogleMaps (1)
- GPG (1)
- Hinet (1)
- HTML (2)
- HTTP (1)
- i18n (1)
- IE (3)
- Java (2)
- Javascript (2)
- Linux (1)
- Microsoft (2)
- MIME (1)
- MySQL (7)
- NexusOne (2)
- OAuth (1)
- Open source 開放原始碼 (1)
- OpenID (1)
- OS (1)
- OS:Windows (33)
- PHP (49)
- PHP:GTK (2)
- PHP:PEAR (1)
- PHP:PECL (3)
- PHP:ZendFramework (4)
- PostgreSQL (1)
- PPPoE (1)
- RegularExpressions (2)
- Security (11)
- Sphinx (2)
- SQLite (1)
- TCP (1)
- Ubuntu (1)
- UDP (1)
- Usability (2)
- Virtaul PC (1)
- Wii (2)
- XML (1)
- Yahoo (2)
- Yahoo:BBAuth (1)
- Yahoo:YUI (1)
- Youtube (1)
- 不如賣雞排 (2)
- 不願役 (33)
- 中文處理 (1)
- 圖 (5)
- 媒體 (2)
- 影片 (1)
- 影音 (19)
- 思 (8)
- 攝 (9)
- 政 (7)
- 敗 (2)
- 漫畫 (5)
- 生活 (34)
- 硬體設備 (13)
- 網站開發 (16)
- 網路 (8)
- 英文 (3)
- 貓 (2)
- 資安 (1)
- 趣 (29)
- 軟體 (12)
- 遊記 (8)
- 運動 (2)
- 關於我 (1)
- 電影 (10)
No comments:
Post a Comment
Comment Form Message