我理解通过使用预准备语句来保护数据库免受SQL注入的正确方法.我想了解准备语句如何保护我的数据库.
首先,准备好的语句与"参数化查询"相同吗?
作为一个例子,我粘贴在我的代码下面,以便在用户表中插入新用户.这样安全吗?PDO如何确保其安全?还有什么需要做的,以保护数据库免受注入?
在'Class_DB.php'中:
class DB {
private $dbHost;
private $dbName;
private $dbUser;
private $dbPassword;
function __construct($dbHost, $dbName, $dbUser, $dbPassword) {
$this->dbHost=$dbHost;
$this->dbName=$dbName;
$this->dbUser=$dbUser;
$this->dbPassword=$dbPassword;
}
function createConnexion() {
return new PDO("mysql:host=$this->dbHost;dbName=$this->dbName", $this->dbUser, $this->dbPassword);
}
}
在'DAO_User.php'中:
require_once('Class_DB.php');
class DAO_User {
private $dbInstance;
function __construct($dbInstance){
$this->dbInstance=$dbInstance;
}
function createUser($user){
$dbConnection=$this->dbInstance->createConnexion();
$query=$dbConnection->prepare("INSERT INTO users (userName, hashedPassword, userEmail) VALUES (?,?,?)");
$query->bindValue(1, $user->userName);
$query->bindValue(2, $user->hashedPassword);
$query->bindValue(3, $user->userEmail);
$query->execute();
}
}
谢谢,
JDelage