Regarding the underlying processing issues of preventing injection of mysql prepared statements
PHP's PDO object or STMT object executes the SQL statement containing the injection
Checking the MYSQL log found that only the second single quote was escaped
SELECT * FROM admin WHERE user = '123\' or 1 = 1#'
The native API log of calling libmysql.dll using C and other languages is like this
select * from admin where user = X'313233'
The processing method is to convert the parameters into hexadecimal
They are all preprocessing. Why are there two different ways of underlying processing?
Is the preprocessing function encapsulated by PHP based on the native API of MYSQL?
Another statement from Baidu is that PHP's preprocessing is pseudo-parameter query (simulation preprocessing), but Baidu has no introduction information on this aspect
Is this statement true?
I hope the master can clear up the confusion. Thank you again!
