mcb*_*eav 2 php security mysqli prepared-statement
对不起,这可能是一个非常愚蠢的问题,但在人们将要查看的页面上运行此代码是否安全,或者我应该将其包装到函数中并调用它?
$stmt = $db->prep_stmt("select * from .... where userid = ? and username = ?");
/* Binding 2 parameters. */
$stmt->bind_param("is", $userid, $username);
/* Binding 2 result. */
$stmt->bind_result($isbn, $title, $author, $coef, $bookid);
/* Executing the statement */
$stmt->execute( ) or die ("Could not execute statement");
/*
* Making PHP buffer the whole result,
* not recommended if there is a blob or
* text field as PHP eats loads of memory
*/
$stmt->store_result();
while ($stmt->fetch()) {
/*
* Here you can use the variables $isbn, $title, $author, $coef, $bookid,
* which contatin the data for 1 row.
*/
print "<tr>".
"<td>".$isbn."</td>".
"<td>".$title."</td>".
"<td>".$author."</td>".
"</tr><tr><td>";
}
从安全角度来看,它们将是相同的.这是一个软件设计问题.但是,您可能需要考虑更好的错误处理(至少对于生产而言).具体来说,没有必要泄漏错误原因("无法执行语句").通常,您需要一个通用的错误页面("抱歉,服务器有问题!请尝试访问主页.").