I'd like to take measures against SQL injection into PHP.
"SELECT* FROM hogehoge WHERE id='$id'AND number='$data'
In the place where the SQL statement is assembled, the id contains an integer as an argument, so it can be addressed by string literal, but the data is
>Integer
As we pass the argument, we are in a situation where we cannot deal with it with string literals.
What should I do?
Additional information
$dbh->query("SET NAMES' hogehoge'");
$sql="SELECT* FROM replies WHERE id=? AND data=?";
$sth = $dbh->prepare($sql, array('integer'), array('string'));
$th->execute(array($id),array($data)));
If you pass the >integer
to $data as an argument, it will play.
Additionally, I have never seen the syntax before, but is it MySQLi or PDO?Or are you using something completely different?
Assuming it's a PDO (because the variable is similar to the page in PDO::prepare
), the writing style is fundamentally strange.
$sql="SELECT* FROM replies WHERE id=? AND data=?";
$sth = $dbh->prepare($sql);
$th->execute([$id,$data]);
Depending on the framework you are using, it may not be helpful at all.In that case, please explain the framework you are using.Also, if you use ambiguous expressions such as "I'll be played" when things don't go well, the reader can't understand what happened at all.Be sure to provide important information such as error messages.
I didn't understand exactly what the question meant, but as you can see on the reference site, the common solution for SQL injection is to use a prepared statement.Even if you do not use a prepared statement, it is recommended that you check and set the input values for the variable parts of SQL properly, but in some cases, it is not easy to check properly.
© 2024 OneMinuteCode. All rights reserved.