php的防注入常用的有两中mysqli、pdo的预处理方式来防注入
下面是两种方法的例子:
PDO:
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "test";
$pdo = new PDO("mysql:host=localhost;dbname=test","root","root");
//这里有多种写法我喜欢简单一点
$stmt = $pdo->prepare('insert into test VALUES (?,?)');
$stmt->execute(array('321','mmmm'));
echo $stmt->rowCount();
MYsqli:
$mysqli = new mysqli($servername,$username,$password,$dbname);
$stmt = $mysqli->prepare("INSERT INTO test (id, name) VALUES(?, ?)");
//参数绑定->给?号赋值 这里类型和顺序要一致,类型、赋值和??的顺序要一致
//参数有以下四种类型:
//i - integer(整型)
//d - double(双精度浮点型)
//s - string(字符串)
//b - BLOB(binary large object:二进制大对象)
$stmt->bind_param("is", $id, $name);
$id=222;
$name = 'bbb';
$stmt->execute();
//执行预处理语句
echo $stmt->affected_rows; //1 成功 -1失败
//关闭预编译
$stmt->close();
//关闭数据库连接
$mysqli->close();