参见英文答案 > real escape string and PDO 3个
在我的代码中我试图将mysql_real_escape_string转换为PDO语句.有人有关于如何在PDO中编写mysql_real_escape_string的提示吗?
我在两行中使用mysql_real_escape_string:
$userName = mysql_real_escape_string($_ POST [‘username’]);
$password = sha1(mysql_real_escape_string($_ POST [‘password’]));
?>
这就是我试图用PDO做的事情
$host = "localhost";
$user = "root";
$password = "root";
$db = "blog";
$dsn = "mysql:host=$host;dbname=$db;charset=utf8";
$opt = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC);
$pdo = new PDO($dsn,$user,$password,$opt);
$username = $_POST['username'];
$password = $_POST['password'];
$query = "select * from tbladmin where admin_usr_name=:userName and admin_pwd=:passWord";
try
{
$databas = new PDO($dsn,$password);
}
catch (PDOException $e)
{
echo 'Connection failed: ' . $e->getMessage();
}
$statement = $databas->prepare($query);
$statement->execute(array(':userName'=>$username,':passWord'=> $password));
$row = $statement->fetch();
我总是得到这个错误:
在非对象上调用成员函数prepare()
最佳答案
关键是通过使用带参数化查询和绑定值的预准备语句,您不需要诸如mysql_real_escape_string之类的东西.
查看PDO documentation有关如何使用绑定值和参数化查询/预准备语句的信息.
关键是你要编写一个SQL查询:
$query = $pdo->prepare("SELECT * FROM users WHERE username = ? and password = ?");
然后你会传入绑定值代替?符号,因此查询只是按字面意思运行:
$query->bindParam(1,$username);
$query->bindParam(2,$password);
任何类型的SQL注入尝试,例如1′; DROP用户 – 在上面的变量中将不再起作用,因为它将按字面意思调用.