用PHP清理PostgreSQL中所有用户的输入

Question

这个问题是基于this thread。

当您使用pg_prepare时，您是否需要显式清理？

我觉得pg_prepare进行消毒用户输入时自动例如，我们不需要这个

$question_id = filter_input(INPUT_GET, 'questions', FILTER_SANITIZE_NUMBER_INT); 

背景下，我使用的Postgres

$result = pg_prepare($dbconn, "query9", "SELECT title, answer 
    FROM answers 
    WHERE questions_question_id = $1;");         
$result = pg_execute($dbconn, "query9", array($_GET['question_id'])); 

Answer 1

上pg_prepare据Postgres的documentation，所有逃脱都是为你完成的。请参阅示例部分，它里面列出了下面的代码（包括评论）：

<?php 
// Connect to a database named "mary" 
$dbconn = pg_connect("dbname=mary"); 

// Prepare a query for execution 
$result = pg_prepare($dbconn, "my_query", 'SELECT * FROM shops WHERE name = $1'); 

// Execute the prepared query. Note that it is not necessary to escape 
// the string "Joe's Widgets" in any way 
$result = pg_execute($dbconn, "my_query", array("Joe's Widgets")); 

// Execute the same prepared query, this time with a different parameter 
$result = pg_execute($dbconn, "my_query", array("Clothes Clothes Clothes")); 
?> 

虽然它可能是注意到他们使用单引号（'）而不是双引号（"）周围的查询字符串是有用的，那么$1将不会意外插入到字符串中。