原理:使用预处理语句,将语句和参数分离,达到防注入的目的。
代码:
$conn = mysqli_connect($CONFIG['ADDB']['HOST'],$CONFIG['ADDB']['USERNAME'], $CONFIG['ADDB']['PASSWORD'],$CONFIG['ADDB']['DATABASE']); $query = "Set Names 'utf8mb4'"; mysqli_query($conn,$query); //使用预处理语句 $stmt = $mysql->prepare("select notice from table where para=?"); //绑定参数 $stmt->bind_param('s',$para); //绑定结果集 $stmt->bind_result($result); //执行查询 $result = $stmt->execute(); //获取结果 if($stmt->fetch()) { //释放结果集 $stmt->free_result(); $response['data'] = $result; }
Enjoy it !