Is it possible to use prepared statements using the deprecated mysql extension in PHP? I have a server that will not be getting mysqli or PDO anytime soon and need to do RLIKE lookups against user supplied text. mysql_real_escape_string() will be used but I was concerned that it would be insufficient.
是否可以在PHP中使用已弃用的mysql扩展名来使用预准备语句?我有一台服务器,不会很快获得mysqli或PDO,需要针对用户提供的文本进行RLIKE查找。将使用mysql_real_escape_string(),但我担心它不够用。
2 个解决方案
#1
2
Here's a PHP script, using the deprecated mysql API, that demonstrates using PREPARE and EXECUTE. I tested this with PHP 5.3.15 and MySQL 5.5.29 and it works for me. However, I don't recommend it.
这是一个PHP脚本,使用不推荐使用的mysql API,演示如何使用PREPARE和EXECUTE。我用PHP 5.3.15和MySQL 5.5.29对它进行了测试,它对我有用。但是,我不推荐它。
<?php
$x = 3;
$y = 4;
mysql_connect('localhost', 'root', 'xxxx') or die(mysql_error());
mysql_select_db('test');
mysql_query("SET @sql = 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse'");
mysql_query("PREPARE stmt FROM @sql");
mysql_query("SET @x = $x"); // SQL injection!
mysql_query("SET @y = $y"); // SQL injection!
$result = mysql_query("EXECUTE stmt USING @x, @y");
while ($row = mysql_fetch_assoc($result)) {
print $row["hypotenuse"] . "\n";
}
mysql_close();
As I noted in the comments, this sort of misses the point of prepared queries, because you have to interpolate possibly untrusted content into your SET statements.
正如我在评论中所指出的那样,这种方法错过了准备好的查询,因为你必须将可能不受信任的内容插入到SET语句中。
You really should fix your PHP installation and enable the mysqli or the PDO_mysql extensions, so you can use real API-level prepare and execute.
您真的应该修复PHP安装并启用mysqli或PDO_mysql扩展,这样您就可以使用真正的API级准备和执行。
#2
0
Take a look at this: http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html
看看这个:http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html
You have there the SQL syntax for prepared statements with manual param binding.
您有使用手动param绑定的预准备语句的SQL语法。
#1
2
Here's a PHP script, using the deprecated mysql API, that demonstrates using PREPARE and EXECUTE. I tested this with PHP 5.3.15 and MySQL 5.5.29 and it works for me. However, I don't recommend it.
这是一个PHP脚本,使用不推荐使用的mysql API,演示如何使用PREPARE和EXECUTE。我用PHP 5.3.15和MySQL 5.5.29对它进行了测试,它对我有用。但是,我不推荐它。
<?php
$x = 3;
$y = 4;
mysql_connect('localhost', 'root', 'xxxx') or die(mysql_error());
mysql_select_db('test');
mysql_query("SET @sql = 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse'");
mysql_query("PREPARE stmt FROM @sql");
mysql_query("SET @x = $x"); // SQL injection!
mysql_query("SET @y = $y"); // SQL injection!
$result = mysql_query("EXECUTE stmt USING @x, @y");
while ($row = mysql_fetch_assoc($result)) {
print $row["hypotenuse"] . "\n";
}
mysql_close();
As I noted in the comments, this sort of misses the point of prepared queries, because you have to interpolate possibly untrusted content into your SET statements.
正如我在评论中所指出的那样,这种方法错过了准备好的查询,因为你必须将可能不受信任的内容插入到SET语句中。
You really should fix your PHP installation and enable the mysqli or the PDO_mysql extensions, so you can use real API-level prepare and execute.
您真的应该修复PHP安装并启用mysqli或PDO_mysql扩展,这样您就可以使用真正的API级准备和执行。
#2
0
Take a look at this: http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html
看看这个:http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html
You have there the SQL syntax for prepared statements with manual param binding.
您有使用手动param绑定的预准备语句的SQL语法。