Fatal编程技术网
  • php/
  • Php PDO参数化查询代码审查,我有多安全?

Php PDO参数化查询代码审查,我有多安全?

php mysql

Php PDO参数化查询代码审查,我有多安全?,php,mysql,pdo,Php,Mysql,Pdo,我是一个PHP新手,刚刚开始编写代码。在进一步编写代码之前,我需要知道我是否已经走上了创建安全web的正确道路。因此,请查看下面我的代码示例 PHP版本5.4.34 数据库服务器版本:5.5.40-cll-MySQL社区服务器(GPL) 关于connection.php //should I use utf8mb4 and set server connection collation to utf8mb4_general_ci? //also on html, is including <

我是一个PHP新手,刚刚开始编写代码。在进一步编写代码之前,我需要知道我是否已经走上了创建安全web的正确道路。因此,请查看下面我的代码示例

PHP版本5.4.34

数据库服务器版本:5.5.40-cll-MySQL社区服务器(GPL)

关于connection.php

//should I use utf8mb4 and set server connection collation to utf8mb4_general_ci?
//also on html, is including <meta charset="utf-8"> necessary?
$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');
$db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); // enabled by default?
插入查询

$query = "INSERT INTO log (
    username,
    email, 
    ip,
    time
    ) VALUES (
    :username,
    :email,
    :lastip,
    :lastlog
    )";

$params = array(
    ':username' => $_POST['username'],
    ':email' => $_POST['email'],
    ':lastip' => $_SERVER['REMOTE_ADDR'],
    ':lastlog' => time()    
    );

    try
    {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($params);
    }
    catch(PDOException $ex)
    {
        die();      
    }
更新查询

$params = array(
   ':username' => $_SESSION['userdata']['username'],
   ':email' => $_POST['email'],
   ':age' => $_POST['age'],
   ':gender' => $_POST['gender']
   );

$query = "UPDATE users SET 
       email = :email,
       age = :age,
       gender = :gender
       where username = :username";
try
    {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($params);          
    }
    catch(PDOException $ex)
    {
        die();
    }
我在SQL注入中有多安全?在二级攻击中是否足够安全?

完全安全。PDO语句准备查询以避免SQL注入。即使他们尝试,在发送到数据库之前,
prepare()
函数也会进行必要的更改。

如果您希望有人查看您的代码,您应该询问。发帖前先查看他们的帮助中心。 
$params = array(
   ':username' => $_SESSION['userdata']['username'],
   ':email' => $_POST['email'],
   ':age' => $_POST['age'],
   ':gender' => $_POST['gender']
   );

$query = "UPDATE users SET 
       email = :email,
       age = :age,
       gender = :gender
       where username = :username";
try
    {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($params);          
    }
    catch(PDOException $ex)
    {
        die();
    }