所以我一直在閱讀很多關於準備好的陳述,並且不斷得到關於準備好的陳述如何防止mysql注入的各種答案。有些人說它完全覆蓋了它,而另一些人則說它們仍然有一些小的工作或某些事情。幾乎我只是想確認這個代碼,我是安全的,知道居然有準備語句中的任何孔:mysqli準備好的語句是否完全免受mysql注入?
<?php
ignore_user_abort(true);
$user = $_REQUEST['username'];
$pass = $_REQUEST['password'];
if (isset($user) && isset($pass)) {
require('/var/www/data/config.php'); //contains the db connection
if ($stmt = mysqli_prepare($mysqli, "SELECT password FROM users WHERE username=?")) {
mysqli_stmt_bind_param($stmt, 's', $user);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $gpass);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
if ($gpass) {
require('/var/www/data/handles/fCrypt.php');
$chk = verify($pass, $gpass); //custom blowfish validation
if ($chk) {
//password correct, continue
} else {
mysqli_close($mysqli);
//echo invalid password stuff
}
} else {
mysqli_close($mysqli);
//echo invalid username stuff
}
} else {
mysqli_close($mysqli);
die('Query Error');
}
} else {
die('Invalid Request');
}
?>
本質上是PDO準備語句安全的副本(http://stackoverflow.com/questions/1314521/how-safe-are-pdo-prepared-statements) – deceze 2013-04-04 06:49:11