问题描述
我主要使用准备好的语句来防止 sql 注入。现在我还需要过滤 ENUM 类型。但是我应该如何在准备好的语句中使用它来维护安全性?
我有一个地址表,需要过滤用户的发票地址。我该如何做到这一点并保持安全?还是没关系?
我能想到的两个选项。 数组中的“发票”作为字符串。
public function getCustomerInvoiceAddresses($customerNumber)
{
$query = 'SELECT contactPerson,company,street,zipCode,city,deliveryMethod
FROM address
where FK_customerNumber = ?
AND addresstype = ?';
$paramType = 'is';
$paramValue = array(
$customerNumber,"Invoice"
);
$invoiceAddressArray = $this->ds->select($query,$paramType,$paramValue);
return $invoiceAddressArray;
}
SELECT 中的发票
public function getCustomerInvoiceAddresses($customerNumber)
{
$query = 'SELECT contactPerson,deliveryMethod
FROM address
where FK_customerNumber = ?
AND addresstype = "Invoice"';
$paramType = 'is';
$paramValue = array(
$customerNumber
);
$invoiceAddressArray = $this->ds->select($query,$paramValue);
return $invoiceAddressArray;
}
$invoiceAddresses = $customer->getCustomerInvoiceAddresses($customerNumber,"Invoice");
解决方法
如果您正在解析数据并使用准备语句,我不相信会发生 SQL 注入。所以我会用最灵活的选择和使用
$invoiceAddresses = $customer->getCustomerInvoiceAddresses($customerNumber,"Invoice");
将函数重命名为 getCustomerAddresses