下面下几个参数化方式
#mysql:
$query=sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);#mysqli 参数化
$db=new mysqli("www.libenfu.com","xxx","xxx","xxx");
$stmt=$db->prepare("SELECT name,title FROM my WHERE name=? AND title=?");
$name = 99;
$title = 99;
$stmt->bind_param("ss",$name,$title);
$stmt->execute();
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
//输出
$stmt->bind_result($name, $title);
while ($stmt->fetch()) {
printf ("%s (%s)\n", $name, $title);
}
/* close statement */
$stmt->close();pdo 的参数化方式 应该算是目前最为安全的方式了 http://www.libenfu.com/mysql-pdo-%e5%8f%82%e6%95%b0%e5%8c%96%e7%9a%84%e4%b8%a4%e7%a7%8d%e6%96%b9%e6%b3%95/
上面的地址是 pdo 的两种参数化方式
最佳答案
