search

Home  >  Q&A  >  body text

Regarding the underlying processing issues of preventing injection of mysql prepared statements

PHP's PDO object or STMT object executes the SQL statement containing the injection
Checking the MYSQL log found that only the second single quote was escaped
SELECT * FROM admin WHERE user = '123\' or 1 = 1#'
The native API log of calling libmysql.dll using C and other languages ​​is like this
select * from admin where user = X'313233'
The processing method is to convert the parameters into hexadecimal

They are all preprocessing. Why are there two different ways of underlying processing?

Is the preprocessing function encapsulated by PHP based on the native API of MYSQL?

Another statement from Baidu is that PHP's preprocessing is pseudo-parameter query (simulation preprocessing), but Baidu has no introduction information on this aspect
Is this statement true?

I hope the master can clear up the confusion. Thank you again!

phpcn_u5077phpcn_u50772752 days ago1784

reply all(2)I'll reply

  • 清晨的那一抹阳光照耀在我的脸上

    清晨的那一抹阳光照耀在我的脸上2017-06-15 22:31:56

    php masters are all studying the bottom layer

    reply
    0
  • phpcn_u5077

    I'm not a master, but I like to get to the bottom of things that are strange and interesting.

    phpcn_u5077 · 2017-06-16 07:31:17
  • shuffle

    shuffle2017-06-15 22:03:18

    Although I don’t understand what you are talking about, it feels so high-end

    reply
    0
  • phpcn_u5077

    。。。。。。

    phpcn_u5077 · 2017-06-16 07:33:44
  • Cancelreply