最近出了一本书叫做《代码审计：企业级web代码安全架构》，专门介绍怎么从代码里挖掘漏洞，漏洞应该怎么防御，功能应该怎么设计会更安全。 需要的朋友可以在淘宝、京东等网站搜索。
我们先来看一段代码
4090a74e0a08aa0e0eaf507d52c0f85aexec(set names 'gbk');
$sql=select * from test where name = ? and password = ?;
$stmt = $dbh->prepare($sql);
$exeres = $stmt->execute(array($name, $pass));
上面这段代码虽然使用了pdo的prepare方式来处理sql查询，但是当php版本exec(set names 'utf8');
$sql=select * from test where name = ? and password = ?;
$stmt = $dbh->prepare($sql);
$exeres = $stmt->execute(array($name, $pass));
<?php dbh = new pdo("mysql:host=localhost; dbname=demo", "user", "pass"); $dbh->setattribute(pdo::attr_emulate_prepares, false); $dbh->exec("set names 'utf8'"); $sql="select * from test where name = ? and password = ?"; $stmt = $dbh->prepare($sql); $exeres = $stmt->execute(array($name, $pass));