???????????
?????????????????????????Щ??????о????????????????????? SQL ??????????????????????磺
????$id  = $_GET['id'];
????$sql = "SELECT name FROM users WHERE id = $id";
?????????ж? $_GET['id'] ????????????????????????κ??????????????? " and 1= 1 or " ???????????????????????淽?д??????Щ??
????$id  = intval($_GET['id']);
????$sql = "SELECT name FROM users WHERE id = $id";
?????? id ????? int ???????????????????????
???????????
??????????????????????????????????????????????????????? int ?????????? intval ????????У?
????$id =intval( $_GET['id']);
?????????????????????Щ????????? sprintf ??????????????????????????????????????Щ???????????Щ???????????????磺
????$str = addslashes(sprintf("%s"??$str));
????//??????? mysqli_real_escape_string?????????addslashes
?????????????????????????????????????ж???????????????????????????????????磺
????$str = addslashes(sprintf("%s"??$str));
????$str = substr($str??0??40); //?????40
????????????
????????????????? SQL ??????????????php MySQLi ?? PDO ?????????????????? MySQLi ??????????????
$mysqli = new mysqli('localhost'?? 'my_user'?? 'my_password'?? 'world');
$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (??? ??? ??? ?)");
$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;
$stmt->bind_param('sssd'?? $code?? $language?? $official?? $percent);
????PDO ???????????磺
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name?? colour?? calories
FROM fruit
WHERE calories < :calories AND colour = :colour'; $sth = $dbh->prepare($sql?? array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150?? ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175?? ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?????????????? php ??????б???????ò??????д SQL????????????????????в???????????????? SQL ???????????д?????????????????ж??????? PDO ???? MySQLi ????????д?? prepared?????? wordprss db ????????????????????????????????
function prepare( $query?? $args ) {
if ( is_null( $query ) )
return;
// This is not meant to be foolproof --
but it will catch obviously incorrect usage.
if ( strpos( $query?? '%' ) === false ) {
_doing_it_wrong( 'wpdb::prepare' ??
sprintf ( __( 'The query argument of %s
must have a placeholder.' )?? 'wpdb::prepare()' )?? '3.9' );
}
$args = func_get_args();
array_shift( $args );
// If args were passed as an array (as in vsprintf)?? move them up
if ( isset( $args[ 0] ) && is_array( $args[0]) )
$args = $args [0];
$query = str_replace( "'%s'"?? '%s' ?? $query );
// in case someone mistakenly already singlequoted it
$query = str_replace( '"%s"'?? '%s' ?? $query );
// doublequote unquoting
$query = preg_replace( '|(?<!%)%f|' ?? '%F' ?? $query );
// Force floats to be locale unaware
$query = preg_replace( '|(?<!%)%s|'?? "'%s'" ?? $query );
// quote the strings?? avoiding escaped strings like %%s
array_walk( $args?? array( $this?? 'escape_by_ref' ) );
return @ vsprintf( $query?? $args );
}
???????
??????????????????????????????????????????????????????????????????á?????????????????????????????????Щ????????????????????? coding ???????????????????????????????????????£?????????????????????????????????????????????????????????????????????????