如何通过准备好的语句保护sql语句

时间:2017-08-22 17:28:05

标签: php mysql

我们说我执行这样的查询:

$assignments = $database->getDataAsArray("SELECT * FROM assignments WHERE userId = '$id'");

函数(getDataAsArray)如下所示:

public function getDataAsArray($myQuery){
        $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
        $statement = $this->connection->prepare($myQuery);
        $statement->execute();
        $result = $statement->get_result();
        $results = array();
        while($line = $result->fetch_array()){
            $results[] = $line;
        }
        return $results;
    }

这是不安全的,因为我没有使用:ID

等项来参数化查询

如果我这样做是否安全:

$id = mysqli_real_escape_string($database->getConnection(), $_SESSION['id']);
        $assignments = $database->getDataAsArray("SELECT * FROM assignments WHERE userId = $id AND closed = 0 AND completed = 0");

如果这不安全,我怎么能用一个函数参数化我的查询。例如,我有这个问题:

"SELECT * FROM assignments WHERE userId = $id AND closed = 0 AND completed = 0"

我有这个问题:

"SELECT * FROM state WHERE id='$stateId'"

两者都有不同数量的参数需要添加到查询中。如何在一个功能中处理这个?

先谢谢

0 个答案:

没有答案
相关问题
最新问题