Data security methods to prevent SQL injection in PHP

This time I will bring you a data security method for preventing SQL injection in PHP. What are the precautions for PHP anti-SQL injection data security? . The following is a practical case, let’s take a look.

The example in this article describes how to simply implement PHP to prevent SQL injection. Share it with everyone for your reference, the details are as follows:

Method 1: execute and substitute parameters

<?php
if(count($_POST)!= 0) {
  $host = &#39;aaa&#39;;
  $database = &#39;bbb&#39;;
  $username = &#39;ccc&#39;;
  $password = &#39;***&#39;;
  $num = 0;
  $pdo = new PDO("mysql:host=$host;dbname=$database", $username, $password);//创建一个pdo对象
  foreach ($_POST as $var_Key => $var_Value) {
    //获取POST数组最大值
    $num = $num + 1;
  }
  //下标为i的数组存储的是商品id, 下标为j数组的存储的是此商品的库存
  for($i=0;$i<$num;$i=$i+2)
  {
    //库存下标
    $j = $i+1;
    //判断传递过来的数据合法性
    if(is_numeric(trim($_POST[$i])) && is_numeric(trim($_POST[$j]))){
      //禁用prepared statements的仿真效果
      $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
      //查询数据库中是否存在该ID的商品
      //当调用 prepare() 时，查询语句已经发送给了数据库服务器，此时只有占位符 ? 发送过去，没有用户提交的数据
      $stmt = $pdo->prepare("select good_id from delphi_test_content WHERE good_id = ?");
      //当调用到 execute()时，用户提交过来的值才会传送给数据库，他们是分开传送的，两者独立的，SQL攻击者没有一点机会。
      $stmt->execute(array($_POST[$i]));
      //返回查询结果
      $count = $stmt->rowCount();
      //如果本地数据库存在该商品ID和库存记录，就更新该商品的库存
      if($count != 0)
      {
        $stmt = $pdo->prepare("update delphi_test_content set content = ? WHERE good_id = ?");
        $stmt->execute(array($_POST[$j], $_POST[$i]));
      }
      //如果本地数据库没有该商品ID和库存记录，就新增该条记录
      if($count == 0)
      {
        $stmt = $pdo->prepare("insert into delphi_test_content (good_id,content) values (?,?)");
        $stmt->execute(array($_POST[$i], $_POST[$j]));
      }
    }
  }
  $pdo = null;
  //关闭连接
}
?>

Method 2: bindParam binding parameter

<?php
if(count($_POST)!= 0) {
  $host = &#39;aaa&#39;;
  $database = &#39;bbb&#39;;
  $username = &#39;ccc&#39;;
  $password = &#39;***&#39;;
  $num = 0;
  $pdo = new PDO("mysql:host=$host;dbname=$database", $username, $password);//创建一个pdo对象
  foreach ($_POST as $var_Key => $var_Value) {
    //获取POST数组最大值
    $num = $num + 1;
  }
  //下标为i的数组存储的是商品id, 下标为j数组的存储的是此商品的库存
  for($i=0;$i<$num;$i=$i+2)
  {
    //库存下标
    $j = $i+1;
    //判断传递过来的数据合法性(此数据为商品编号以及库存，严格来说字符串全是由数字组成的)
    if(is_numeric(trim($_POST[$i])) && is_numeric(trim($_POST[$j]))){
      //查询数据库中是否存在该ID的商品
      $stmt = $pdo->prepare("select good_id from delphi_test_content WHERE good_id = ?");
      $stmt->execute(array($_POST[$i]));
      $stmt->bindParam(1,$_POST[$i]);
      $stmt->execute();
      //返回查询结果
      $count = $stmt->rowCount();
      //如果本地数据库存在该商品ID和库存记录，就更新该商品的库存
      if($count != 0)
      {
        $stmt = $pdo->prepare("update delphi_test_content set content = ? WHERE good_id = ?");
        $stmt->execute(array($_POST[$j], $_POST[$i]));
        $stmt->bindParam(1,$_POST[$j]);
        $stmt->bindParam(2,$_POST[$i]);
        $stmt->execute();
      }
      //如果本地数据库没有该商品ID和库存记录，就新增该条记录
      if($count == 0)
      {
        $stmt = $pdo->prepare("insert into delphi_test_content (good_id,content) values (?,?)");
        $stmt->bindParam(1,$_POST[$i]);
        $stmt->bindParam(2,$_POST[$j]);
        $stmt->execute();
      }
    }
  }
  $pdo = null;
  //关闭连接
}
?>

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the PHP Chinese website!

Recommended reading:

How to reset an array to a numeric index

How to remove a single value from an array in php

The above is the detailed content of Data security methods to prevent SQL injection in PHP. For more information, please follow other related articles on the PHP Chinese website!