问题
I see a lot of questions on here regarding MySQL, but what about when using OCI?
Is the simplest method to create a function that strips all characters from a string except for A-Z 0-9 and run the $_POST through it?
May I have an example?
Code
<?php
include("core/connection.php");
if (!empty($_POST)) {
$stid = oci_parse($conn, "SELECT CustomerNo FROM Customers WHERE Username = '" . $_POST['username'] . "' AND Password = '" . $_POST['password'] . "'");
oci_execute($stid);
$count = oci_fetch_all($stid, $res);
if ($count > 0) {
session_start();
$row = oci_fetch_array($stid, OCI_NUM);
$_SESSION['account'] = $row['0'];
header("Location: index.php");
}
oci_free_statement($stid);
oci_close($conn);
}
?>
来源:https://stackoverflow.com/questions/23630809/how-can-i-prevent-sql-injections-in-the-php-oci-extension