1.mysqli防注入
<?php//定义配置文件$config = [//地址"host" => "127.0.0.1",//数据库名称"dbname" => "xxxx",//用户名"user" => "xxxx",//密码"pass" => "xxx"];//连接数据库$link = mysqli_connect($config["host"],$config["user"],$config["pass"],$config["dbname"]);//获取用户id 使用intval防注入 $user_id = intval($_GET["id"]);$user_id = $_GET["id"];$user_name = $_GET["name"];//写sql语句$sql = "select * from p_users where user_id=? and user_name=?";echo "<br>".var_dump($sql);//预处理$stmt = mysqli_prepare($link,$sql);//绑定函数 这里的ss为 后面第一个参数为字符串 第二个参数也为字符串mysqli_stmt_bind_param($stmt,"ss",$user_id,$user_name);//执行mysqli_stmt_execute($stmt);//获取结果$res = mysqli_stmt_get_result($stmt);//结果转换为二维数组$res = mysqli_fetch_all($res,1);echo "<pre>";print_r($res); echo "<pre>";
2、PDO防注入
<?php//配置文件$config = [//地址"host" => "127.0.0.1",//数据库名称"dbname" => "xxx",//用户名"user" => "xxx",//密码"pass" => "xxx"];//连接数据库$dbh = new PDO("mysql:host={$config['host']};dbname={$config['dbname']}",$config['user'],$config['pass']);//获取用户id 使用intval防注入 $user_id = intval($_GET["id"]);$user_id = $_GET["id"];$user_name = $_GET["name"];//写sql语句$sql = "select * from p_users where user_id=:id and user_name=:name";echo "<br>".var_dump($sql);//预处理$stmt = $dbh->prepare($sql);//绑定函数$stmt->bindParam(":id",$user_id);$stmt->bindParam(":name",$user_name);//执行$stmt->execute();//结果转换为二维数组$res = $stmt->fetchAll(PDO::FETCH_ASSOC);echo "<pre>";print_r($res); echo "<pre>";常用的注入 or 1=1–
)
)
)