我想知道我是否需要针对sql注入的保护,仅在我编写的插入的情况下,或者是否需要为所有查询使用预准备语句。我如何用sqlmap测试它? (本地主机)
答案 0 :(得分:0)
使用下面的准备语句就是一个例子
$name = $_GET['username'];
if($ stmt = $ mysqli-> prepare(“SELECT password FROM tbl_users WHERE name =?”)){
// Bind a variable to the parameter as a string.
$stmt->bind_param("s", $name);
// Execute the statement.
$stmt->execute();
// Get the variables from the query.
$stmt->bind_result($pass);
// Fetch the data.
$stmt->fetch();
// Display the data.
printf("Password for user %s is %s\n", $name, $pass);
// Close the prepared statement.
$stmt->close();
}