Avoiding Injection Attacks when using Visual FoxPr

2019-06-14 16:24发布

问题:

I am accessing a VFP database in php using visual fox pro OLE DB Provider (vfpoledb.dll). I want to prepare statements for queries I am going to make in the same (or similar) way you would if you where using PDO or some other database abstraction layer.

Does anyone know if you can and the best way to prepare a statement so as to avoid injection attacks?

$conn = new COM("ADODB.Connection");
$conn->Open('Provider=VFPOLEDB.1;Data Source="' . $path . '";');

// Bad!
$up = $conn->Execute("UPDATE tablename SET fieldname='Testing' WHERE fieldname = '" . $value . "'")

// Good?
...

or/and if anyone knows where there is a reference to methods accessible though this COM dll that would be fantastic.

回答1:

Just an update for anyone who walks this path in future days.

I ended up solving this problem using the ADOdb Database Abstraction Library for PHP http://adodb.sourceforge.net/

An example:

            // Path to your dbc file
            $path = '/path/to/the/file.dbc';

            // Create A FoxPro connection
            $db = ADONewConnection('vfp');

            // Create DSN 
            $dsn = "Driver={Microsoft Visual FoxPro Driver};SourceType=DBC;SourceDB=" . path . ";Exclusive=No;";

            // Contact or die trying
            $db->Connect($dsn) or die('Error connect with Visual FoxPro Driver');

            // Set fetch mode (this just makes the return values easier to parse)
            $db->SetFetchMode(ADODB_FETCH_BOTH);

            // Your Query - use ? as the var
            $query = "SELECT fieldname_a, fieldname_b FROM tablename WHERE fieldname_c = ? AND fieldname_d = ?";

            // Your Query Params
            $queryParms = array('valueYouAreSearchingFor_c', 'valueYouAreSearchingFor_d');

            // Execute the query
            $rs = $db->Execute($query, $queryParms);

            // An example looping the results (>= php5)
            foreach ($rs as $row) {

                // Print out examples
                print_r($row);
                echo $row["fieldname_a"];
                echo $row["fieldname_b"];
            }

            // Don't forget to clean up after yourself
            $rs->Close();