向 PHP mssql 查询添加参数 [英] Add parameters to a PHP mssql query

查看:41
本文介绍了向 PHP mssql 查询添加参数的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

给定以下查询(在代码中,不是存储过程);如何向查询添加参数而不是直接在查询中包含条件值?换句话说:我怎样才能使这个数据库调用安全?

<预><代码>$dbhandle = mssql_connect($myServer, $myUser, $myPass);$selected = mssql_select_db($myDB, $dbhandle);$query = "选择姓氏、名字、地址、电话、电子邮件";$query .= "发件人";$query .=" WHERE lastname LIKE '" .$姓氏."'";$result = mssql_query($query);while($row = mssql_fetch_array($result)) {... 等等.

解决方案

首先放弃过时的扩展,使用 sqlsrv 代替:

<块引用>

这些函数允许您访问 MS SQL Server 数据库.

此扩展在使用 PHP 5.3 的 Windows 上不再可用,或者稍后.

SQLSRV,Microsoft 提供了 MS SQL 的替代驱动程序:» http://msdn.microsoft.com/en-us/sqlserver/ff657782.aspx.

之后,您将获得对准备好的语句的支持:

$dbh = sqlsrv_connect ($serverName, $credentials);$stmt = sqlsrv_prepare($dbh, 'SELECT lastname,firstname,address,phone,email FROM person WHERE lastname LIKE ?', array(&$lastName));如果(sqlsrv_execute($stmt)){while(false !== ($row = sqlsrv_fetch_array($stmt)){//用 $row 做事}}

当然,如果我是,我会像其他人建议的那样使用 PDO,为它支持的所有数据库提供相同的接口.

如果由于某种原因您一直在使用 mssql,那么我相信您也无法手动转义所有查询参数.

Given the following query (in the code, NOT a stored procedure); how can I add parameters to the query rather than including the condition values directly in the query? In other words: how can I make this database call secure?


$dbhandle = mssql_connect($myServer, $myUser, $myPass); 
$selected = mssql_select_db($myDB, $dbhandle); 

$query  = "SELECT lastname, firstname, address, phone, email ";
$query .= "  FROM person";
$query .= " WHERE lastname LIKE '" . $lastName . "'";

$result = mssql_query($query);

while($row = mssql_fetch_array($result)) {
... etc.

解决方案

First of all abandon the outdated extension and use sqlsrv instead:

These functions allow you to access MS SQL Server database.

This extension is not available anymore on Windows with PHP 5.3 or later.

SQLSRV, an alternative driver for MS SQL is available from Microsoft: » http://msdn.microsoft.com/en-us/sqlserver/ff657782.aspx.

After that you get suppport for prepared statements:

$dbh = sqlsrv_connect ($serverName, $credentials);
$stmt = sqlsrv_prepare($dbh, 'SELECT lastname,firstname,address,phone,email FROM person WHERE lastname LIKE ?', array(&$lastName));


if(sqlsrv_execute($stmt))
{
   while(false !== ($row = sqlsrv_fetch_array($stmt)){
     // do stuff with $row
   }
}

Of course if i were i would just use PDO as others have suggested with presents the same interface to all db the extensions it supports.

If youre stuck using mssql for some reason then i believe youre also stuck manually escaping all your query parameters.

这篇关于向 PHP mssql 查询添加参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆