在PHP中使用Visual FoxPro OLE DB提供程序时避免注入攻击 [英] Avoiding Injection Attacks when using Visual FoxPro OLE DB Provider in PHP

问题描述

我正在使用Visual Fox Pro OLE DB提供程序(vfpoledb.dll)访问php中的VFP数据库.我想以与您使用PDO或其他数据库抽象层时相同或相似的方式为查询准备语句.

I am accessing a VFP database in php using visual fox pro OLE DB Provider (vfpoledb.dll). I want to prepare statements for queries I am going to make in the same (or similar) way you would if you where using PDO or some other database abstraction layer.

有人知道您是否可以以及准备声明的最佳方法来避免注入攻击?

Does anyone know if you can and the best way to prepare a statement so as to avoid injection attacks?

$conn = new COM("ADODB.Connection");
$conn->Open('Provider=VFPOLEDB.1;Data Source="' . $path . '";');

// Bad!
$up = $conn->Execute("UPDATE tablename SET fieldname='Testing' WHERE fieldname = '" . $value . "'")

// Good?
...

或者/或者，如果有人知道在哪里可以引用通过该COM dll可以访问的方法，那真是太棒了.

or/and if anyone knows where there is a reference to methods accessible though this COM dll that would be fantastic.

推荐答案

对于以后走这条路的任何人来说，这只是一个更新.

Just an update for anyone who walks this path in future days.

我最终使用PHP的ADOdb数据库抽象库解决了这个问题 http://adodb.sourceforge.net/

I ended up solving this problem using the ADOdb Database Abstraction Library for PHP http://adodb.sourceforge.net/

一个例子:

            // Path to your dbc file
            $path = '/path/to/the/file.dbc';

            // Create A FoxPro connection
            $db = ADONewConnection('vfp');

            // Create DSN 
            $dsn = "Driver={Microsoft Visual FoxPro Driver};SourceType=DBC;SourceDB=" . path . ";Exclusive=No;";

            // Contact or die trying
            $db->Connect($dsn) or die('Error connect with Visual FoxPro Driver');

            // Set fetch mode (this just makes the return values easier to parse)
            $db->SetFetchMode(ADODB_FETCH_BOTH);

            // Your Query - use ? as the var
            $query = "SELECT fieldname_a, fieldname_b FROM tablename WHERE fieldname_c = ? AND fieldname_d = ?";

            // Your Query Params
            $queryParms = array('valueYouAreSearchingFor_c', 'valueYouAreSearchingFor_d');

            // Execute the query
            $rs = $db->Execute($query, $queryParms);

            // An example looping the results (>= php5)
            foreach ($rs as $row) {

                // Print out examples
                print_r($row);
                echo $row["fieldname_a"];
                echo $row["fieldname_b"];
            }

            // Don't forget to clean up after yourself
            $rs->Close();

这篇关于在PHP中使用Visual FoxPro OLE DB提供程序时避免注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！