所以我一直在阅读很多关于准备好的陈述,并且不断得到关于准备好的陈述如何防止mysql注入的各种答案。有些人说它完全覆盖了它,而另一些人则说它们仍然有一些小的工作或某些事情。几乎我只是想确认这个代码,我是安全的,知道居然有准备语句中的任何孔:mysqli准备好的语句是否完全免受mysql注入?
<?php
ignore_user_abort(true);
$user = $_REQUEST['username'];
$pass = $_REQUEST['password'];
if (isset($user) && isset($pass)) {
require('/var/www/data/config.php'); //contains the db connection
if ($stmt = mysqli_prepare($mysqli, "SELECT password FROM users WHERE username=?")) {
mysqli_stmt_bind_param($stmt, 's', $user);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $gpass);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
if ($gpass) {
require('/var/www/data/handles/fCrypt.php');
$chk = verify($pass, $gpass); //custom blowfish validation
if ($chk) {
//password correct, continue
} else {
mysqli_close($mysqli);
//echo invalid password stuff
}
} else {
mysqli_close($mysqli);
//echo invalid username stuff
}
} else {
mysqli_close($mysqli);
die('Query Error');
}
} else {
die('Invalid Request');
}
?>
本质上是PDO准备语句安全的副本(http://stackoverflow.com/questions/1314521/how-safe-are-pdo-prepared-statements) – deceze 2013-04-04 06:49:11