各位大侠,下面的这段代码能防SQL注入吗?如果不能,php+pgsql如何防注入大家有何好的意见,最好是使用pg_prepare预处理的方式。
$keyword=$_POST["key"];$dbconn = pg_connect("host=localhost dbname=gznc_jjy user=user password=pass port=5432")
or die('Could not connect: ' . pg_last_error());
$result = pg_prepare($dbconn, "my_query", 'SELECT * FROM article where content like $1 or title like $2 or id=$3 ');
$result = pg_execute($dbconn, "my_query", array("%".$keyword."%","%".$keyword."%",1));
echo "<table>\n";
while ($line = pg_fetch_array($result, null, PGSQL_ASSOC)) {
echo "\t<tr>\n";
foreach ($line as $col_value) {
echo "\t\t<td>$col_value</td>\n";
}
echo "\t</tr>\n";
}
echo "</table>\n";// 释放结果集
pg_free_result($result);// 关闭连接
pg_close($dbconn);PHPsql注入
$keyword=$_POST["key"];$dbconn = pg_connect("host=localhost dbname=gznc_jjy user=user password=pass port=5432")
or die('Could not connect: ' . pg_last_error());
$result = pg_prepare($dbconn, "my_query", 'SELECT * FROM article where content like $1 or title like $2 or id=$3 ');
$result = pg_execute($dbconn, "my_query", array("%".$keyword."%","%".$keyword."%",1));
echo "<table>\n";
while ($line = pg_fetch_array($result, null, PGSQL_ASSOC)) {
echo "\t<tr>\n";
foreach ($line as $col_value) {
echo "\t\t<td>$col_value</td>\n";
}
echo "\t</tr>\n";
}
echo "</table>\n";// 释放结果集
pg_free_result($result);// 关闭连接
pg_close($dbconn);PHPsql注入
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货