我喜欢此代码found here 你们认为,可以在此查询上执行准备好的语句来防止SQL注入吗?
<?php
$conn = mysqli_connect("localhost", "root", "", "blog_samples");
$keyword = "";
$queryCondition = "";
if(!empty($_POST["keyword"])) {
$keyword = $_POST["keyword"];
$wordsAry = explode(" ", $keyword);
$wordsCount = count($wordsAry);
$queryCondition = " WHERE ";
for($i=0;$i<$wordsCount;$i++) {
$queryCondition .= "title LIKE '%" . $wordsAry[$i] . "%' OR description LIKE '%" . $wordsAry[$i] . "%'";
if($i!=$wordsCount-1) {
$queryCondition .= " OR ";
}
}
}
$orderby = " ORDER BY id desc";
$sql = "SELECT * FROM links " . $queryCondition;
$result = mysqli_query($conn,$sql);
?>
<?php
function highlightKeywords($text, $keyword) {
$wordsAry = explode(" ", $keyword);
$wordsCount = count($wordsAry);
for($i=0;$i<$wordsCount;$i++) {
$highlighted_text = "<span style='font-weight:bold;'>$wordsAry[$i]</span>";
$text = str_ireplace($wordsAry[$i], $highlighted_text, $text);
}
return $text;
}
?>
这里的问题是该代码按空格爆炸关键字
$wordsAry = explode(" ", $keyword);
所以我不知道会有多少条准备好的语句。.也许在这样的查询中,准备好的语句是无用的或不可能实现的。 还是我错了? 或者在这种情况下,我可以使用preg_replace防止SQL注入,或者在这里我可以采取什么措施来防止SQL注入?