如果应用程序独占地使用预处理语句,那么可以确保没有SQL入侵发生。
If your application exclusively USES prepared statements, you can be sure that no SQL injection will occur.
提供给预处理语句的参数不需要用引号括起来,驱动程序会处理这些。
The parameters to prepared statements don't need to be quoted; the driver handles it for you.
预处理语句是如此有用,以致pdo实际上打破了在目标4中设下的规则:如果驱动程序不支持预处理语句,那么P DO将仿真预处理语句。
Prepared statements are so useful that PDO actually breaks the rule set out in Goal number 4: if the driver doesn't support prepared statements, PDO will emulate them.
检查源程序中是否有预处理语句的一种程序。这些语句的执行导致对源程序的修改。
A program that examines the source program FOR preprocessor statements which are then executed resulting in the alteration of the source program.
除了复杂的漏洞,如果你不使用预处理语句只需要由项目上的任何程序员一个错误,你被淋湿的。
Complicated vulnerabilities aside, if you're not using prepared statements all it takes is ONE mistake by any programmer on the project and you're hosed.
除了复杂的漏洞,如果你不使用预处理语句只需要由项目上的任何程序员一个错误,你被淋湿的。
Complicated vulnerabilities aside, if you're not using prepared statements all it takes is ONE mistake by any programmer on the project and you're hosed.
应用推荐