如何使用PHP和sqlsrv驱动程序清理输入?
[英]How to sanitize input with PHP and the sqlsrv driver?
问题描述
I'm working on a PHP MSSQL project that is using the sqlsrv driver. 
我正在使用sqlsrv驱动程序的PHP MSSQL项目上。 What's the best way to stop SQL injection attacks? 阻止SQL注入攻击的最佳方法是什么? I need something like mysql_real_escape_string() but for sqlsrv driver. 我需要类似mysql_real_escape_string()的东西,但要使用sqlsrv驱动程序。
2 个解决方案
解决方案1
4 2012-05-14 08:25:25
If you use it like this, quoting is automatic: 如果像这样使用它,则引用是自动的:
$sql = "exec usp_cis_upd
@key = ?,
@value = ?";
$params = array(
$key,
trim($_POST["value"]));
$stmt = sqlsrv_query($dbh, $sql, $params);
解决方案2
1 已采纳 2011-09-29 22:30:54
The best way is not to write your SQL so that you need to use an analogue of mysql_real_escape_string() , which you would do by using placeholders for the values and then passing the variables (that would otherwise have been handled by mysql_real_escape_string() ) when you execute the statement or open the cursor or whatever. 最好的方法是不要编写SQL,以便需要使用mysql_real_escape_string()的类似物,可以通过使用占位符作为值,然后传递变量(否则将由mysql_real_escape_string()处理)来实现。您执行该语句或打开游标或任何其他内容。
Failing that, look at the output of mysql_real_escape_string() ; 如果失败,请查看mysql_real_escape_string()的输出; it might be appropriate for MS SQL Server too. 它可能也适用于MS SQL Server。 It depends on how it does the escaping (and what escaping it does). 这取决于转义的方式(以及转义的方式)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.