如何防止使用 foreach 插入多行的 SQL 注入?
How can I prevent SQL injection using foreach to insert multiple rows?
在客户端,用户可以指定类别(比如开胃菜、主菜、甜点等菜单类别)。我的目标是将这些类别存储在我的数据库中。我的代码有效,但我担心 $category 容易受到 SQL 注入的攻击。我知道如何防止使用像 :business_id 这样的单个变量进行注入,但是当可以有多个值($category)时我将如何做到这一点?感谢您的帮助。
function recreate_categories_for_business($business_id, $categories) {
$categories = json_decode(stripslashes($categories));
$sql = "INSERT INTO Categories (business_id, name) VALUES ";
foreach($categories as $category) {
$sql .= "(:business_id, '".$category."'),";
}
$sql = rtrim($sql, ",");
if($stmt = $db->prepare($sql)) {
$stmt->bindParam(':business_id', $business_id);
if($stmt->execute()) {
return true;
}
}
}
如PDOStatement::bindParam or PDOStatement::bindValue中所述,只需使用?代替:business_id和查询中的类别值以及一个整数(从1开始)绑定该值。像这样:
function recreate_categories_for_business($business_id, $categories) {
$categories = json_decode(stripslashes($categories));
$sql = "INSERT INTO Categories (business_id, name) VALUES ";
foreach($categories as $category) {
$sql .= "(?, ?),";
}
$sql = rtrim($sql, ",");
if($stmt = $db->prepare($sql)) {
$i = 0;
foreach($categories as $category) {
$i++; // update position for the business ID (starting with 1)
$stmt->bindValue($i, $business_id);
$i++; // update the position for the category name
$stmt->bindValue($i, $category);
}
if($stmt->execute()) {
return true;
}
}
}
在客户端,用户可以指定类别(比如开胃菜、主菜、甜点等菜单类别)。我的目标是将这些类别存储在我的数据库中。我的代码有效,但我担心 $category 容易受到 SQL 注入的攻击。我知道如何防止使用像 :business_id 这样的单个变量进行注入,但是当可以有多个值($category)时我将如何做到这一点?感谢您的帮助。
function recreate_categories_for_business($business_id, $categories) {
$categories = json_decode(stripslashes($categories));
$sql = "INSERT INTO Categories (business_id, name) VALUES ";
foreach($categories as $category) {
$sql .= "(:business_id, '".$category."'),";
}
$sql = rtrim($sql, ",");
if($stmt = $db->prepare($sql)) {
$stmt->bindParam(':business_id', $business_id);
if($stmt->execute()) {
return true;
}
}
}
如PDOStatement::bindParam or PDOStatement::bindValue中所述,只需使用?代替:business_id和查询中的类别值以及一个整数(从1开始)绑定该值。像这样:
function recreate_categories_for_business($business_id, $categories) {
$categories = json_decode(stripslashes($categories));
$sql = "INSERT INTO Categories (business_id, name) VALUES ";
foreach($categories as $category) {
$sql .= "(?, ?),";
}
$sql = rtrim($sql, ",");
if($stmt = $db->prepare($sql)) {
$i = 0;
foreach($categories as $category) {
$i++; // update position for the business ID (starting with 1)
$stmt->bindValue($i, $business_id);
$i++; // update the position for the category name
$stmt->bindValue($i, $category);
}
if($stmt->execute()) {
return true;
}
}
}