在没有Prepared statment的情况下将用户数据发送到数据库

Question

我正在使用PDO OOP下面的分页类

<?php
class Paginator{
private $db;
public $page_no;//current page
public $limit;//record_per page
public $row_start;
public $total_rec;
public $query;

function __construct($con){
    $this->db = $con;
}
//get total no of records
public function get_no_records($query){
    $this->query = $query;
    $stmt = $this->db->prepare($query);
    $stmt->execute();
    $row_num = $stmt->rowCount();
    if($row_num > 0){
        $this->total_rec = $row_num;
        return $row_num;
    }
}
public function get_data($limit,$page_no){
    try {
        $this->limit = $limit;
        $this->page_no = $page_no;
        if($this->limit == "all"){
            $query = $this->query;
        }
        else{
            $this->row_start = (($this->page_no-1) * $this->limit);
            $query = $this->query . " LIMIT ". $this->row_start . "," . $this->limit;
        }
        $stmt = $this->db->prepare($query);
        $stmt->execute();
        while($row = $stmt->fetch(PDO::FETCH_ASSOC)){
            //create an array to hold record
            $results[] = $row;
        }
        $result = new stdClass();
        $result->page_no = $this->page_no;
        $result->limit = $this->limit;
        $result->total_rec = $this->total_rec;
        $result->data = $results;
        return $result;
    } catch (PDOException $e) {
        echo $e->getMessage();
    }
}
public function create_links($links,$list_class){
    if($this->limit == 'all'){
        return '';
    }
    $last = ceil($this->total_rec/$this->limit);
    $start = (($this->page_no - $links) > 0) ? $this->page_no - $links : 1;
    $end = (($this->page_no + $links) < $last) ? $this->page_no + $links : $last;
    $html = '<ul class="' . $list_class . '">';
    $class = ($this->page_no == 1) ? "disabled" : "";
    $previous_page = ($this->page_no == 1) ?
    '<a href= ""><li class="' . $class . '">&laquo;</a></li>' :
    '<li class="' . $class . '"><a href="?limit=' . $this->limit . '&page_no=' . ($this->page_no-1) . '">&laquo;</a></li>';
    $html .= $previous_page;
    if($start > 1){
        $html .= '<li><a href="?limit=' . $this->limit . '&page_no=1">1</a></li>';
        $html .= '<li class="disabled"><span>....</span></li>'; 
    }
    for($i = $start;$i<=$end;$i++){
        $class = ($this->page_no == $i)? "active" : "";
        $html .= '<li class="' . $class . '"><a href="?limit=' . $this->limit . '&page_no=' . $i .'">' . $i . '</a></li>';
    }
    if( $end < $last){
        $html .= '<li class="disabled"><span>....</span></li>';
        $html .= '<li><a href="?limit=' . $this->limit . '&page_no=' . $last . '">' . $last . '</a></li>';
    }
    $class = ($this->page_no == $last)? "disabled" : "";

    $next_page = ( $this->page_no == $last)?
    '<li class="' . $class . '"><a href="">&raquo;</a></li>':
    '<li class="' . $class . '"><a href="?limit=' . $this->limit . '&page_no=' . ($this->page_no + 1) . '">&raquo;</a></li>';
    $html .= $next_page;
    $html .= '</ul>';
    return $html;
}
}
?>

从上面的get_no_records（$ query）执行任何传递的查询，我有一个像SELECT * FROM users这样的查询，它运行正常。我有一个函数，其中列名的值由表单中文本字段的用户输入确定 这是函数

            public function search_user($value){
        $query = "SELECT * FROM users WHERE username = " . "'" . $value . "'";
            return $query;
        }

这是我的搜索表单

<form method="GET">
Username:<input type="text" name="uname"/>
<button type="submit" class="btn btn-primary" name="srch">Search</button>
</form>

返回的$ query被传递给get_no_records（$ query）并且它正在运行Fine.Here是我的问题。以这种方式将用户输入发送到数据库是否正确？我的代码容易受到sql注入吗？我该如何防止这种情况。感谢。

Answer 1

您确实需要使用PDO预处理语句，因为这是确保您的网站免受SQL注入安全的可靠方法。

参考：https://stackoverflow.com/a/3716402/5287820