我目前正在使用3dCart高級API,它使用SOAP請求和SQL來查詢數據庫。PHP Soap - 遠程SQL
我很擔心安全。什麼是使遠程查詢安全的選項?
下面是一些示例代碼:
class Data {
private $db;
public function __construct(){
$this->db = new soapclient('http://api.3dcart.com/cart_advanced.asmx?WSDL',array('trace'=>1,'soap_version'=>SOAP_1_1));
}
public function query($sql = "SELECT TOP 20 * FROM category"){
$param = array(
'storeUrl'=>"example.com",
'userKey'=>"supersecretcode",
'sqlStatement'=>$sql
);
$result = $this->db->runQuery($param);
$match = $result->runQueryResult->any;
$sxe = new SimpleXMLElement($match);
return $sxe->runQueryRecord;
}
}
我運行查詢像這樣:
$db = new Data()
$query = $db->query("SELECT id, category_name FROM category WHERE category_name LIKE '%".$search_term."%' AND isFilter = 0 AND hide = 0");
//WORK WITH QUERY DATA HERE
如何保護呢? 因爲我沒有直接連接到SQL服務器有什麼辦法來防止SQL注入?
如果我運行一個正則表達式來返回true,那麼只有字符串是字母數字時,如果有或沒有空格,該怎麼辦? – bottens 2013-05-07 13:14:10
像這樣:$ search_term =(preg_match('/^[A-Za-z0-9 _] * $ /',$ search_term))?$ search_term:「默認搜索詞」; – bottens 2013-05-07 13:15:02
是的,只要你不需要別的東西就可以工作。白名單是安全的,但用字符串你需要非常小心你允許的。我[發現這個問題](http://stackoverflow.com/questions/1162491/alternative-to-mysql-real-escape-string-without-connecting-to-db)有一些答案,可能會有所幫助。 – Sam 2013-05-07 14:08:34