I'm not so familiar with the newer PHP commands, so I wanted to check with you if the code below is protected against SQL injection?
我对更新的PHP命令不太熟悉,所以我想和您检查一下下面的代码是否受SQL注入保护?
$mysqli = new mysqli($server,$user , $password, $db_name);
$stmt1 = $mysqli->prepare("insert into $db_table (request_date, from_city, from_country, to_city, to_country, travel_date, return_date, minus, plus, currency)
values(?,?,?,?,?,?,?,?,?,?)");
$date = date('Y-m-d H:i:s');
$stmt1->bind_param("ssssssssss",$date,
$_POST['from_city'],
$_POST['from_country'],
$_POST['to_city'],
$_POST['to_country'],
$_POST['travel_date'],
$_POST['return_date'],
$_POST['minus'],
$_POST['plus'],
$_POST['currency']
);
$stmt1->execute();
Basically, the script receives post data from the form, records them into a db, and then submits them to another script to perform the actual search (on a third-party website).
基本上,脚本从表单接收post数据,将它们记录到db中,然后将它们提交到另一个脚本,以执行实际的搜索(在第三方网站上)。
1 个解决方案
#1
4
Yes, prepared statements are safe against SQL injection as they are not interpreted as part of the SQL query - you can have anything there, it won't execute a command.
是的,准备好的语句对于SQL注入是安全的,因为它们不被解释为SQL查询的一部分——您可以在那里拥有任何东西,它不会执行命令。
That said, you may want to do a bit of validation anyway to make sure the data you are accepting makes sense. Garbage in, Garbage out. You don't want to save a date that's not valid, for instance.
这就是说,无论如何,您可能想要做一点验证,以确保您所接受的数据是有意义的。垃圾,垃圾。例如,您不想保存无效的日期。
#1
4
Yes, prepared statements are safe against SQL injection as they are not interpreted as part of the SQL query - you can have anything there, it won't execute a command.
是的,准备好的语句对于SQL注入是安全的,因为它们不被解释为SQL查询的一部分——您可以在那里拥有任何东西,它不会执行命令。
That said, you may want to do a bit of validation anyway to make sure the data you are accepting makes sense. Garbage in, Garbage out. You don't want to save a date that's not valid, for instance.
这就是说,无论如何,您可能想要做一点验证,以确保您所接受的数据是有意义的。垃圾,垃圾。例如,您不想保存无效的日期。