PHP 騙你,PDO prepare 並沒有準備好

ChiVincent
May 26, 2018 · 5 min read
<?phptry {
$dbh = new PDO(
'mysql:host=127.0.0.1;dbname=test;charset=utf8mb4',
'root',
'root'
);
$sth = $dbh->prepare('SELECT * FROM `users` WHERE `role` = ?');
$sth->bindValue(1, $_GET['role']);
$result = $sth->execute(); var_dump($result);
} catch (PDOException $exception) {
die ("Something wrong: {$exception->getMessage()}");
}

實驗

<?phptry {
$dbh = new PDO(
'mysql:host=127.0.0.1;dbname=test;charset=utf8mb4',
'root',
'root'
);
$sth = $dbh->prepare('SELECT * FROM `users` WHERE `id` = ?');
$sth->bindValue(1, $_GET['id']);
$sth->execute();
$result = $sth->fetch();
var_dump($result);
} catch (PDOException $e) {
die("Something wrong: {$e->getMessage()}");
}
在 PDO::ATTR_EMULATE_PREPARES = true 時(預設)
Request Prepare Statement(左圖)及 Request Execute Statement (右圖)

結論

wetprogrammer

A web programmer, using modern PHP, Rust and Golang

ChiVincent

Written by

http://chivincent.net/

wetprogrammer

A web programmer, using modern PHP, Rust and Golang