I am coding for an Intranet. In theory, I don't have to worry too much about SQL injection (I can see you throwing up your hands in horror already ;-) It's not really a secure app & doesn't have any "secret stuff".
I'm more concerned about storing and retrieving strings which contain quotes.
It has to use ODBC function (order from on high).
1) is it enough to addslashes()
when executing commands and开发者_如何学编程 stripslashes()
when retrieving them?
2) I am aware of which input might contain quotes & which not (e.g, some form input field require number input an are validated, so, if they are going to be written to the d/b, they are known to be free of quotes)
However, I do have central functions to OdbcExec()
and to odbc_fetch_row()
and then extract the value of a named column.
Is there any reason why I should nod add/strip-slashes in those?
If you can make it a bit securer while still using OSBC functions then by all means do so. My main concern at this early stage in development is to prevent crashes when entering strings containing quotes. 1 or 2 central functions seem best to me, but maybe you knwo better.
Thanks for clarifying
Use parameterized queries / statements. The odbc prepare and execute functionality provides you this feature like so:
<?php
$a = $_GET['a'];
$stmt = odbc_prepare($db_conn, "SELECT b FROM c WHERE a=?");
$res = odbc_execute($stmt, array($a));
?>
There is some limitation with regards to parameters that begin and end /w single quotes, see here:
http://php.net/manual/en/function.odbc-execute.php
Validate input as best you can prior to putting it in the DB, and use parameterized queries and you'll be in business.
精彩评论