我是php的新手。但是我决定用PDO创建一个非常简单的插入页面,PDO的安全性是否足以抵御SQL注入攻击?
这是我的代码:
<?php
//Database settings
$host = 'localhost';
$dbname= 'akar';
$user = 'akar';
$pass = 'raparen';
//Setting up the PDO
$dsn = "mysql:host=$host;dbname=$dbname";
$pdo = new PDO($dsn,$user,$pass);
//Check if user entered something, otherwise set the username variable string to nothing.
$username = isset($_POST['username']) ? $_POST['username'] : '';
$password = isset($_POST['password']) ? $_POST['password'] : '';
//Inserting the values to the database using named placeholders
$query = "INSERT INTO users (username,password) VALUES(:username,:password)";
$statement = $pdo->prepare($query);
$statement->execute(array(
':username'=> $username,
':password'=> $password
));
?>
我的表格:
<input type='text' placeholder='Enter Username here!' name='username' />
<input type='password' placeholder='Enter Password here!' name='password' />
<input type='submit' value='Submit' />
</form>
答案 0 :(得分:0)
在您的情况下,该代码没问题。它可以防止任何一阶注射。
以下问题对这个问题进行了非常好的讨论:
Are PDO prepared statements sufficient to prevent SQL injection?