我有以下php脚本将表单用户输入数据插入数据库。如果我不希望使用预准备语句将参数绑定到“?”,那么mysqli_real_escape_string是否足以阻止SQL注入占位符?
<?php
$link = mysqli_connect("localhost", "root", "", "bizcontact");
$name = mysqli_real_escape_string($link, $_POST['name']);
$company = mysqli_real_escape_string($link, $_POST['company']);
$position = mysqli_real_escape_string($link, $_POST['position']);
$contact = mysqli_real_escape_string($link, $_POST['contact']);
$email = mysqli_real_escape_string($link, $_POST['email']);
$gender = mysqli_real_escape_string($link, $_POST['gender']);
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$sql = "INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES('$name', '$company', '$position', '$contact', '$email', '$gender')";
if (mysqli_query($link, $sql)){
echo "success";
}else{
echo(mysqli_error($link));
};
/* close connection */
mysqli_close($link);
?>
更新
$stmt = $link->prepare("INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES(?,?,?,?,?,?)");
$stmt-> bind_param("ssssss", $name, $company, $position, $contact, $email, $gender);
if($stmt->execute()){
echo "success";
}else{
echo(mysqli_error($link));
}