只是想了解,此代码中是否存在任何漏洞,以及通过不安全的POST变量更改sql语法的任何可能性。请有人建议,如果这个代码有漏洞并且对sql注入开放,请分享这个代码的安全版本的示例。感谢。
<?php
$database = '
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = pdsales1)
)
)';
$db = new PDO('oci:dbname='.$database, 'hr', 'hr');
$sth = $db->prepare('SELECT EMPLOYEE_ID,FIRST_NAME FROM EMPLOYEES where department_id=:department_id');
$sth->bindParam(':department_id', $department_id);
//$department_id=[$_POST['department_id'];
$department_id=20;
$sth->execute();
$rows = array();
while($row = $sth->fetch(PDO::FETCH_OBJ)) {
$rows[] = $row;
//echo $row->FIRST_NAME."\n";
}
$json_data=json_encode($rows);
//echo $json_data;
?>