Question

这是在这个SELECT中避免SQL注入的正确方法吗？

// --[  Method  ]---------------------------------------------------------------
//
//  - Purpose   : Check if provided $email (taken from user input) exists in the DB
//
// -----------------------------------------------------------------------------
function DB_EmailExists($email)
{
    //
    if(DB_Connect() == false)
    {
        echo mysqli_error();
        return false;
    }

    //
    $stmt = $GLOBALS['global_db_link']->prepare("SELECT * FROM ".$GLOBALS['global_db_table_users']." WHERE Email=?");
    $stmt->bind_param('s', $email);
    $stmt->execute();
    $stmt->store_result();
    $numrows = $stmt->num_rows;
    $stmt->close();

    //
    if ($numrows==0)
    {
        DB_Disconnect();
        return false;
    }

    //
    DB_Disconnect();

    return true;
}

Answer 1

是的，这很有效。但不需要SELECT *，只需使用SELECT email

PHP MySQLi为SELECT编写语句（避免SQL注入）

1 个答案: