安全表数据录入PHP/PDO/MySQL

Question

我在学习PDO的基础知识。我已经构建了以下内容将数据插入到表中，但是我想获得关于这是否安全或者是否可以做得更好的反馈？

我的后期变量是否需要像mysql_real_escape_string()那样转义？

$firstname = $_POST['First_Name']; 
$surname = $_POST['Surname']; 
$nicknames = $_POST['Nicknames']; 
$age = $_POST['Age']; 


// Connection data (server_address, database, name, poassword) 
$hostdb = 'localhost'; 
$namedb = 'tsite_co_uk'; 
$userdb = 'access@site.co.uk'; 
$passdb = 'password'; 

try { 
    // Connect and create the PDO object 
    $conn = new PDO("mysql:host=$hostdb; dbname=$namedb", $userdb, $passdb); 
    $conn->exec("SET CHARACTER SET utf8");  // Sets encoding UTF-8 
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 

    // Define an insert query 
    $sql = "INSERT INTO `directory` 

    (`First_Name`,`Surname`,`Nicknames`,`Age`) 

    VALUES ('$firstname','$surname','$nicknames','$age') 

    "; 

    $count = $conn->exec($sql); 

    $conn = null;  // Disconnect 
} 
catch(PDOException $e) { 
    echo $e->getMessage(); 
} 

Answer 1

这是不安全的 - you're什么都不做，以防止SQL注入从用户提供的$ _ POST值。您应该使用准备好的语句和瓦莱斯绑定到他们：

$conn = new PDO("mysql:host=$hostdb; dbname=$namedb", $userdb, $passdb); 
$conn->exec("SET CHARACTER SET utf8");  // Sets encoding UTF-8 
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 

$sql = "INSERT INTO `directory` (`First_Name`,`Surname`,`Nicknames`,`Age`) 
    VALUES (:firstname ,:surname,:nicknames ,:age) "; 

$statement = $conn->prepare($sql); 
$statement->bindValue(":firstname", $firstname); 
$statement->bindValue(":surename", $surename); 
$statement->bindValue(":nicknames", $nicknames); 
$statement->bindValue(":age", $age); 

$count = $statement->execute();