问题描述
有什么建议我如何保护下面的 GET 代码以防止 sql 注入或任何黑客活动?
http://localhost/hobby.PHP?hobby=soccer
<?PHP
include "connect.PHP";
$hobby = (isset($_GET['hobby'])) ? $_GET['hobby'] : '';
$hobby = str_replace("'","''",$hobby);
$hobby = strip_tags($hobby);
$hobby = trim ($hobby);
if ($hobby != '') {
$sql = "SELECT Name,Hobby from myself where Hobby like '%$hobby%'";
$stmt = sqlsrv_query( $conn,$sql );
$result = array();
$row_check = sqlsrv_has_rows( $stmt );
if ($row_check == true) {
while ($row = sqlsrv_fetch_array( $stmt,sqlSRV_FETCH_ASSOC)) {
$result['Response'][] = array(
'Name' => $row['Name'],'Hobby' => $row['Hobby']
);
}
}
sqlsrv_free_stmt( $stmt);
sqlsrv_close( $conn);
?>
解决方法
最好的做法是按照@giacomo-m 的建议使用 PDO
php.net/manual/en/book.pdo.php