PHP和SQL Server,如何保证安全?
http://www.php.net/manual/en/book.mssql.php
我正在使用它从 LAMP 环境连接到 SQL Server。我注意到我没有像 prepared statements 和 real_escape_string 这样的 neet 函数。
如何使我的查询尽可能安全?任何帮助表示赞赏。
不要建议我使用 ODBC 或 PDO,我没有那个选项。我必须使用我拥有的东西来运行,那就是 MSSQL。
$con = mssql_connect ('xxx', 'xxx', 'xxx');
mssql_select_db('xxx', $con);
$qry = "SELECT
firstname
FROM
person
where firstname = '{$firstname}'";
$query = mssql_query($qry, $con);
http://www.php.net/manual/en/book.mssql.php
I am using that to connect from a LAMP environment to SQL Server. I noticed I don't have the neet functions like prepared statement and real_escape_string.
How can I make my query as secure as possible? Any help is appreciated.
Don't suggest me to use ODBC or PDO, I don't have that option. I have to run with what I have, and that's MSSQL.
$con = mssql_connect ('xxx', 'xxx', 'xxx');
mssql_select_db('xxx', $con);
$qry = "SELECT
firstname
FROM
person
where firstname = '{$firstname}'";
$query = mssql_query($qry, $con);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不要使用文字,使用参数并将它们绑定到您的查询:
Don't use literals, use parameters and bind them to your query:
MSSQL 绑定很好地支持准备好的语句。
文档是你的朋友。
The MSSQL binding supports prepared statements just fine.
The documentation is your friend.
您可以使用 htmlentities() 来将 html 元素转换为 html 实体,并且该函数接受第三个参数,用于转义单引号和双引号。
这是函数的签名:
以及第二个参数可能采用的参数:
ENT_COMPAT 将转换双引号并保留单引号。
ENT_QUOTES 将转换双引号和单引号。
ENT_NOQUOTES 将保留双引号和单引号不转换。
ENT_IGNORE 默默地丢弃无效的代码单元序列,而不是返回空字符串。 PHP 5.3.0 中添加。这是为了向后兼容而提供的;避免使用它,因为它可能会产生安全隐患。
并且
您可以简单地将
addslashes()与htmlentities()一起使用,还有另一个函数可以从字段中清除html标签,即< code>filter_var () ,这样的示例如下:
$return_value =
filter_var($data_to_be_filtered,FILTER_SANITIZE_STRING);重要
不要忘记检查 magic_quotes 是否启用。您可以通过编写以下内容来做到这一点:
有关 magic_quotes 的更多信息: http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
编辑:
您可以使用准备好的-进行更安全的交易声明。它们可以防止 SQL 注入。
示例代码:
You can use
htmlentities()to convert html elements into html entities and this function accepts a third argument which is for escaping single and double quotes.Here is the signature of the function:
and the arguments that second parameters may take:
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Added in PHP 5.3.0. This is provided for backwards compatibility; avoid using it as it may have security implications.
And
You can simply use
addslashes()withhtmlentities()and also there is another function with cleans html tags out from the fields which is
filter_var ()and such example look would be:$return_value =
filter_var($data_to_be_filtered,FILTER_SANITIZE_STRING);Important
Don't forget to check whether magic_quotes are enabled or not. You can do that by writing :
More about magic_quotes: http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
Edit:
You can do more secure transaction by using prepared-statements. They prevent SQL-Injection.
Sample code:
Mssql 不提供转义查询的函数。一种选择是使用“addslashes()”,尽管它有点难看(并且不包含所有内容)
这可能会有所帮助:如何使用 PHP 在 SQL Server 中转义字符串?
Mssql doesn't supply a function to escape your query. One option is to use "addslashes()" instead, although it is somewhat ugly (and doesn't encompass everything)
This might be helpful: How to escape strings in SQL Server using PHP?