我想确认在MySQL中使用预处理语句是否可以防止SQL注入。
下面的代码是否可以防止所有的SQL注入攻击?
$var = $_GET['q'];
$trimmed = trim($var);
if ($trimmed != NULL) {
$get_fighters = $DBH->prepare(
'SELECT *
FROM fighters
WHERE name LIKE :searchTerm
OR nickname LIKE :searchTerm
OR born_in_city LIKE :searchTerm
OR born_in_state LIKE :searchTerm
OR born_in_country LIKE :searchTerm
ORDER BY name ASC');
$get_fighters->bindValue(':searchTerm', '%' . $trimmed . '%', PDO::PARAM_STR);
$get_fighters->setFetchMode(PDO::FETCH_ASSOC);
$get_fighters->execute();
$check_results_fighters = $get_fighters->rowCount();
$get_events = $DBH->prepare(
'SELECT *
FROM events
WHERE event_name LIKE :searchTerm
OR event_arena LIKE :searchTerm
OR event_city LIKE :searchTerm
OR event_state LIKE :searchTerm
OR event_country LIKE :searchTerm
OR organization LIKE :searchTerm
ORDER BY event_date DESC');
$get_events->bindValue(':searchTerm', '%' . $trimmed . '%', PDO::PARAM_STR);
$get_events->setFetchMode(PDO::FETCH_ASSOC);
$get_events->execute();
$check_results_events = $get_events->rowCount();
}
PDO::prepare
文档中得知:“在准备好的语句中,您不能两次使用相同名称的命名参数标记。”(尽管某些版本的PHP与PDO/MySQL驱动程序中的模拟预处理语句支持重复的名称,但依赖此功能并不安全。请参见"php pdo prepare repetitive variables")始终查阅手册。 - outis