PHP防止SQL注入的方法有以下几种:
- 使用PDO预处理语句
- 使用mysqli_real_escape_string()函数
- 过滤输入的特殊字符
- 使用PDO预处理语句:PDO是PHP的一个数据库抽象层,可以使用预处理语句来防止SQL注入。预处理语句可以将SQL语句和参数分离,避免了将参数与SQL语句混在一起的情况,从而有效地防止SQL注入攻击。例如:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->execute(array("username" => $username, "password" => $password));
- 使用mysqli_real_escape_string()函数:mysqli_real_escape_string()函数可以将特殊字符转义,从而避免SQL注入攻击。例如:
$username = mysqli_real_escape_string($conn, $_POST["username"]);
$password = mysqli_real_escape_string($conn, $_POST["password"]);
$sql = "SELECT * FROM users WHERE username = "$username" AND password = "$password"";
- 过滤输入的特殊字符:可以使用PHP的过滤函数,例如filter_var()函数,来过滤输入的特殊字符,从而避免SQL注入攻击。例如:
$username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
$password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
$sql = "SELECT * FROM users WHERE username = "$username" AND password = "$password"";