我目前正在使用3dCart高级API,它使用SOAP请求和SQL来查询数据库。PHP Soap - 远程SQL
我很担心安全。什么是使远程查询安全的选项?
下面是一些示例代码:
class Data {
private $db;
public function __construct(){
$this->db = new soapclient('http://api.3dcart.com/cart_advanced.asmx?WSDL',array('trace'=>1,'soap_version'=>SOAP_1_1));
}
public function query($sql = "SELECT TOP 20 * FROM category"){
$param = array(
'storeUrl'=>"example.com",
'userKey'=>"supersecretcode",
'sqlStatement'=>$sql
);
$result = $this->db->runQuery($param);
$match = $result->runQueryResult->any;
$sxe = new SimpleXMLElement($match);
return $sxe->runQueryRecord;
}
}
我运行查询像这样:
$db = new Data()
$query = $db->query("SELECT id, category_name FROM category WHERE category_name LIKE '%".$search_term."%' AND isFilter = 0 AND hide = 0");
//WORK WITH QUERY DATA HERE
如何保护呢? 因为我没有直接连接到SQL服务器有什么办法来防止SQL注入?
如果我运行一个正则表达式来返回true,那么只有字符串是字母数字时,如果有或没有空格,该怎么办? – bottens 2013-05-07 13:14:10
像这样:$ search_term =(preg_match('/^[A-Za-z0-9 _] * $ /',$ search_term))?$ search_term:“默认搜索词”; – bottens 2013-05-07 13:15:02
是的,只要你不需要别的东西就可以工作。白名单是安全的,但用字符串你需要非常小心你允许的。我[发现这个问题](http://stackoverflow.com/questions/1162491/alternative-to-mysql-real-escape-string-without-connecting-to-db)有一些答案,可能会有所帮助。 – Sam 2013-05-07 14:08:34