Php PDO参数化查询代码审查,我有多安全?
我是一个PHP新手,刚刚开始编写代码。在进一步编写代码之前,我需要知道我是否已经走上了创建安全web的正确道路。因此,请查看下面我的代码示例 PHP版本5.4.34 数据库服务器版本:5.5.40-cll-MySQL社区服务器(GPL) 关于connection.phpPhp PDO参数化查询代码审查,我有多安全?,php,mysql,pdo,Php,Mysql,Pdo,我是一个PHP新手,刚刚开始编写代码。在进一步编写代码之前,我需要知道我是否已经走上了创建安全web的正确道路。因此,请查看下面我的代码示例 PHP版本5.4.34 数据库服务器版本:5.5.40-cll-MySQL社区服务器(GPL) 关于connection.php //should I use utf8mb4 and set server connection collation to utf8mb4_general_ci? //also on html, is including <
//should I use utf8mb4 and set server connection collation to utf8mb4_general_ci?
//also on html, is including <meta charset="utf-8"> necessary?
$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');
$db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); // enabled by default?
插入查询
$query = "INSERT INTO log (
username,
email,
ip,
time
) VALUES (
:username,
:email,
:lastip,
:lastlog
)";
$params = array(
':username' => $_POST['username'],
':email' => $_POST['email'],
':lastip' => $_SERVER['REMOTE_ADDR'],
':lastlog' => time()
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($params);
}
catch(PDOException $ex)
{
die();
}
更新查询
$params = array(
':username' => $_SESSION['userdata']['username'],
':email' => $_POST['email'],
':age' => $_POST['age'],
':gender' => $_POST['gender']
);
$query = "UPDATE users SET
email = :email,
age = :age,
gender = :gender
where username = :username";
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($params);
}
catch(PDOException $ex)
{
die();
}
我在SQL注入中有多安全?在二级攻击中是否足够安全?完全安全。PDO语句准备查询以避免SQL注入。即使他们尝试,在发送到数据库之前,
prepare()
函数也会进行必要的更改。如果您希望有人查看您的代码,您应该询问。发帖前先查看他们的帮助中心。
$params = array(
':username' => $_SESSION['userdata']['username'],
':email' => $_POST['email'],
':age' => $_POST['age'],
':gender' => $_POST['gender']
);
$query = "UPDATE users SET
email = :email,
age = :age,
gender = :gender
where username = :username";
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($params);
}
catch(PDOException $ex)
{
die();
}