如何使用 PHP 和 sqlsrv 驱动程序清理输入? [英] How to sanitize input with PHP and the sqlsrv driver?
问题描述
我正在开发一个使用 sqlsrv 驱动程序的 PHP MSSQL 项目.阻止 SQL 注入攻击的最佳方法是什么?我需要像 mysql_real_escape_string() 这样的东西,但是对于 sqlsrv 驱动程序.
I'm working on a PHP MSSQL project that is using the sqlsrv driver. What's the best way to stop SQL injection attacks? I need something like mysql_real_escape_string() but for sqlsrv driver.
推荐答案
最好的方法是不要编写您的 SQL,因此您需要使用 mysql_real_escape_string()
的类似物,您可以这样做通过对值使用占位符,然后在执行语句或打开游标或其他时传递变量(否则将被 mysql_real_escape_string()
处理).
The best way is not to write your SQL so that you need to use an analogue of mysql_real_escape_string()
, which you would do by using placeholders for the values and then passing the variables (that would otherwise have been handled by mysql_real_escape_string()
) when you execute the statement or open the cursor or whatever.
如果失败,请查看mysql_real_escape_string()
的输出;它也可能适用于 MS SQL Server.这取决于它如何进行转义(以及它进行什么转义).
Failing that, look at the output of mysql_real_escape_string()
; it might be appropriate for MS SQL Server too. It depends on how it does the escaping (and what escaping it does).
这篇关于如何使用 PHP 和 sqlsrv 驱动程序清理输入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!