Any query can be injected whether it's read or write, persistent or transient. Injections can be performed by ending one query and running a separate one (possible with mysqli), which renders the intended query irrelevant.

任何查询都可以被注入，无论是读还是写，是持久的还是瞬态的。可以通过结束一个查询并运行一个单独的查询（可能使用mysqli）来执行注入，这使得预期的查询无关紧要。

Any input to a query from an external source whether it is from users or even internal should be considered an argument to the query, and a parameter in the context of the query. Any parameter in a query needs to be parameterized. This leads to a properly parameterized query that you can create a prepared statement from and execute with arguments. For example:

任何来自外部源的查询输入，无论是来自用户还是内部，都应被视为查询的参数，以及查询上下文中的参数。查询中的任何参数都需要参数化。这会导致正确参数化的查询，您可以从中创建准备好的语句并使用参数执行。例如：

SELECT col1 FROM t1 WHERE col2 = ?

?is a placeholder for a parameter. Using mysqli, you can create a prepared statement using prepare, bind a variable (argument) to a parameter using bind_param, and run the query with execute. You don't have to sanitize the argument at all (in fact it's detrimental to do so). mysqlidoes that for you. The full process would be:

?是参数的占位符。使用mysqli，您可以使用来创建准备好的语句，使用prepare将变量（参数）绑定到参数bind_param，并使用运行查询execute。您根本不必清理论点（实际上这样做是有害的）。 mysqli为你做那个。完整的流程是：

$stmt = $mysqli->prepare("SELECT col1 FROM t1 WHERE col2 = ?");
$stmt->bind_param("s", $col2_arg);
$stmt->execute();

There is also an important distinction between parameterized queryand prepared statement. This statement, while prepared, is not parameterized and is thus vulnerable to injection:

参数化查询和准备好的语句之间还有一个重要的区别。这个语句在准备好的时候没有参数化，因此容易受到注入：

$stmt = $mysqli->prepare("INSERT INTO t1 VALUES ($_POST[user_input])");

To summarize:

总结一下：

• AllQueries should be properly parameterized (unless they have no parameters)
• Allarguments to a query should be treated as hostile as possible no matter their source

• 所有查询都应正确参数化（除非它们没有参数）
• 无论来源如何，查询的所有参数都应尽可能视为敌对