Avoiding Injection Attacks when using Visual FoxPr

2019-06-14 16:08发布

站内问答 / PHP
1319 1 6

I am accessing a VFP database in php using visual fox pro OLE DB Provider (vfpoledb.dll). I want to prepare statements for queries I am going to make in the same (or similar) way you would if you where using PDO or some other database abstraction layer.

Does anyone know if you can and the best way to prepare a statement so as to avoid injection attacks? 

$conn = new COM("ADODB.Connection");
$conn->Open('Provider=VFPOLEDB.1;Data Source="' . $path . '";');

// Bad!
$up = $conn->Execute("UPDATE tablename SET fieldname='Testing' WHERE fieldname = '" . $value . "'")

// Good?
...

or/and if anyone knows where there is a reference to methods accessible though this COM dll that would be fantastic.

1条回答
ゆ 、 Hurt°
2楼-- · 2019-06-14 16:34

Just an update for anyone who walks this path in future days.

I ended up solving this problem using the ADOdb Database Abstraction Library for PHP http://adodb.sourceforge.net/

An example:

            // Path to your dbc file
            $path = '/path/to/the/file.dbc';

            // Create A FoxPro connection
            $db = ADONewConnection('vfp');

            // Create DSN 
            $dsn = "Driver={Microsoft Visual FoxPro Driver};SourceType=DBC;SourceDB=" . path . ";Exclusive=No;";

            // Contact or die trying
            $db->Connect($dsn) or die('Error connect with Visual FoxPro Driver');

            // Set fetch mode (this just makes the return values easier to parse)
            $db->SetFetchMode(ADODB_FETCH_BOTH);

            // Your Query - use ? as the var
            $query = "SELECT fieldname_a, fieldname_b FROM tablename WHERE fieldname_c = ? AND fieldname_d = ?";

            // Your Query Params
            $queryParms = array('valueYouAreSearchingFor_c', 'valueYouAreSearchingFor_d');

            // Execute the query
            $rs = $db->Execute($query, $queryParms);

            // An example looping the results (>= php5)
            foreach ($rs as $row) {

                // Print out examples
                print_r($row);
                echo $row["fieldname_a"];
                echo $row["fieldname_b"];
            }

            // Don't forget to clean up after yourself
            $rs->Close();
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)