[英]How to sanitize input with PHP and the sqlsrv driver?
I'm working on a PHP MSSQL project that is using the sqlsrv driver. 我正在使用sqlsrv驱动程序的PHP MSSQL项目上。 What's the best way to stop SQL injection attacks?
阻止SQL注入攻击的最佳方法是什么? I need something like mysql_real_escape_string() but for sqlsrv driver.
我需要类似mysql_real_escape_string()的东西,但要使用sqlsrv驱动程序。
If you use it like this, quoting is automatic: 如果像这样使用它,则引用是自动的:
$sql = "exec usp_cis_upd
@key = ?,
@value = ?";
$params = array(
$key,
trim($_POST["value"]));
$stmt = sqlsrv_query($dbh, $sql, $params);
The best way is not to write your SQL so that you need to use an analogue of mysql_real_escape_string()
, which you would do by using placeholders for the values and then passing the variables (that would otherwise have been handled by mysql_real_escape_string()
) when you execute the statement or open the cursor or whatever. 最好的方法是不要编写SQL,以便需要使用
mysql_real_escape_string()
的类似物,可以通过使用占位符作为值,然后传递变量(否则将由mysql_real_escape_string()
处理)来实现。您执行该语句或打开游标或任何其他内容。
Failing that, look at the output of mysql_real_escape_string()
; 如果失败,请查看
mysql_real_escape_string()
的输出; it might be appropriate for MS SQL Server too. 它可能也适用于MS SQL Server。 It depends on how it does the escaping (and what escaping it does).
这取决于转义的方式(以及转义的方式)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.