使用 PHP for SQL Server 和无 PDO 防止 SQL 注入 [英] Prevention of SQL injection with PHP for SQL Server and without PDO

问题描述

我可以尽可能地清理和验证我的输入，但这绝对不能涵盖所有内容，如果我足够用力、足够彻底地擦洗，我将完全清除我的输入.

I can sanitize and validate my input as much as possible but that definitely doesn't cover everything and if I scrub hard enough, thoroughly enough, I will completely wipe away my input.

我意识到有很多关于这个主题的帖子，但似乎他们总是回到 PDO 或 Mysql(是的 - 即使有人发布了关于 SQL Server 的帖子，他们收到的一半答案都表明 mysql_real_escape_string -疯狂的世界). 我也不能使用.即使在我打字时，屏幕右侧出现一些类似的问题"，我也一直点击各种链接，但没有任何内容能完全回答我的问题.

I realize there are a lot of posts out there about this topic but it seems like they always go back to PDO or Mysql (yes - even if someone posts about SQL Server, half the answers they receive suggest mysql_real_escape_string - crazy world). I cannot use either. Even as I type and the little "similar questions" appear on the right of my screen, I keep clicking on various links and nothing fully answers my question.

我正在使用 SQL Server.我正在使用 PHP 5.2.4.我不能使用 PDO(因为...?我的老板说不"，这就是足够的理由).

I am using SQL Server. I am using PHP 5.2.4. I cannot use PDO (because...? my boss said 'no' and that's enough reason).

有没有一种方法可以编写一种安全的方法来准备我自己的查询语句?

Is there a way I could write a safe way to prepare my own query statements?

过去，我曾尝试在 PHP 中构建这样的语句.(其中 $input_* 变量是某种形式的用户输入，或者我将它们从某些东西中提取出来)

In the past, I have tried to build a statement like this in the PHP. (where $input_* variables are some form of user input or I pulled them out of something)

$query = "
    declare @varID  int
    declare @var1   int
    declare @var2   varchar(100) 

    set @varID = cast('$input_ID' as int)
    set @var1  = cast('$input_var1' as int)
    set @var2  = cast('$input_var2' as varchar(100)) 

    update table_name_goes_here
         set var1 = @var1,  
             var2 = @var2
         where ID = @varID;
    ";
 # $query is then executed 

但这也很容易受到攻击......显然......我做的最后一件事是删除所有必要的标点符号(有时我知道他们没有理由使用某些字符)

but that can be vulnerable, too... obviously.... And the last thing I do is remove all necessary punctuation (sometimes I know they will have no reason to use certain characters)

但必须有其他选择......对吗?并且 mssql_bind 仅适用于存储过程，这是一个明确的选择，但我不确定我是否想自愿扩展我的职责，通过执行插入/更新过程将维护包括在实际数据库中.

But there has to be some other option... right? And mssql_bind only works for stored procedures, which is a definite option but I'm not sure if I want to volunteer to expand my responsibilities to include maintenance in the actual database by making insert/update procedures.

推荐答案

您还没有回答如果不允许 PDO，您打算如何与 MS SQL 数据库对话"的问题，但我认为有要使用的 mssql_* 函数.

You haven't answered the question "How do you intent to talk to the MS SQL database if PDO isn't allowed", but I assume there are the mssql_* functions to be used.

这些没有现成的转义函数，但它们似乎为您提供了使用准备好的语句 - 可以完成这项工作.

These do not have an escaping function readymade, but it seems they offer you to use prepared statements - which will do the job.

否则，您将有与安全相关的任务来自己创建转义函数.当您第一次看到字符替换时，它并不复杂，您可能很幸运，只需使用定义的编码覆盖您的确切用例.所以这可能真的就像在 MSSQL 手册中查找字符串中的哪些字符不允许作为简单字符一样简单，以及如何转义它们.

Otherwise you would have the security-relevant task to create an escaping function yourself. The character replacement is not really complicated when you first look at it, and you might be lucky to only have to cover your exact use case with a defined encoding. So this might really be as easy as looking up in the MSSQL manual which characters in a string are not allowed as a simple character, and how to escape them.

请注意，您可能会错过边缘情况，如果可以避免，我宁愿使用准备好的语句功能.

Be alerted though that you might miss edge cases, and if you can avoid it, I'd rather use the prepared statement feature.

更新:我误读了手册，mssql_execute() 只调用存储过程，而不是准备好的语句.你不能存储过程吗?将是一个简单的出路.但我想知道无论如何你应该如何与数据库交谈.

Update: I misread the manual, mssql_execute() only calls stored procedures, not prepared statements. Can't you store procedures? Would be an easy way out. But I'd like to know how you are supposed to talk to the database anyways.

Update2:我在 php.net 的评论中找到了一个链接，用于 mssql_bind 指向一个关于转义的 SO 答案:如何使用 PHP 在 SQL Server 中转义字符串?

Update2: I found a link in a comment on php.net for mssql_bind pointing back to an SO answer about escaping: How to escape strings in SQL Server using PHP?

这篇关于使用 PHP for SQL Server 和无 PDO 防止 SQL 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！