当我从PHP表单插入或更新Oracle数据库时 - 我正在捕获FORM数据并通过修剪,striplashes和htmlspecialcharacters数据来清理它。
我想在数据库中保留&符号,单引号和双引号......
但最近我想知道这个功能。我认为这是为了帮助sql注入,但OCI8通过绑定变量来避免这种情况 - 我这样做...
如何处理单引号?
不允许单引号终止字符串?
我在想我可能需要重写一下这个功能 - 我甚至需要它吗?
任何人都可以帮助这个函数check_input($ data)并给我反馈吗?
<?php
require('conn.php');
require('db.php');
$conn = db_connect();
$form1 = check_input($_POST['issueType']);
$form2 = check_input($_POST['summary']);
$form3 = check_input($_POST['endPointName']);
$form4 = check_input($_POST['contactFirstName']);
$form5 = check_input($_POST['contactLastName']);
$form6 = check_input($_POST['contactEmail']);
$form7 = check_input($_POST['contactPhone']);
$form8 = check_input($_POST['description']);
// trims data, strips extra characters, converts special characters to HTML entities
function check_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$insert = "INSERT INTO VTC_HELPDESK_ISSUES (ISSUE_TYPE, ISSUE_SHORT,ENDPOINT_NAME,CONTACT_FIRST_NAME,CONTACT_LAST_NAME, CONTACT_EMAIL,CONTACT_PHONE,ISSUE_DESC,SOLUTION,OTHER_COMPANY_TICKET_NUM,RESOLVED,AGENCY) VALUES (:issueType, :summary,:endPointName, :contactFirstName, :contactLastName,:contactEmail, :contactPhone, :description, :solution, :ticketNumber, :resolved, :agency)";
$send = oci_parse($conn, $insert);
//Binding makes it harder to submit anything directly to the Oracle DB
oci_bind_by_name($send, ':issueType', $form1);
oci_bind_by_name($send, ':summary', $form2);
oci_bind_by_name($send, ':endPointName', $form3);
oci_bind_by_name($send, ':contactFirstName', $form4);
oci_bind_by_name($send, ':contactLastName', $form5);
oci_bind_by_name($send, ':contactEmail', $form6);
oci_bind_by_name($send, ':contactPhone', $form7);
oci_bind_by_name($send, ':description', $form8);
oci_execute($send);
&GT;
答案 0 :(得分:0)
因为&#34;绑定对于Oracle数据库性能很重要,并且作为避免SQL注入安全问题的一种方法,您可以停止对这些字段执行自己的check_input()。具体而言,您将丢失引号和&符号到htmlspecialchars()。