用PHP清理PostgreSQL中所有用戶的輸入

Question

這個問題是基於this thread。

當您使用pg_prepare時，您是否需要顯式清理？

我覺得pg_prepare進行消毒用戶輸入時自動例如，我們不需要這個

$question_id = filter_input(INPUT_GET, 'questions', FILTER_SANITIZE_NUMBER_INT); 

背景下，我使用的Postgres

$result = pg_prepare($dbconn, "query9", "SELECT title, answer 
    FROM answers 
    WHERE questions_question_id = $1;");         
$result = pg_execute($dbconn, "query9", array($_GET['question_id'])); 

Answer 1

上pg_prepare據Postgres的documentation，所有逃脫都是爲你完成的。請參閱示例部分，它裏面列出了下面的代碼（包括評論）：

<?php 
// Connect to a database named "mary" 
$dbconn = pg_connect("dbname=mary"); 

// Prepare a query for execution 
$result = pg_prepare($dbconn, "my_query", 'SELECT * FROM shops WHERE name = $1'); 

// Execute the prepared query. Note that it is not necessary to escape 
// the string "Joe's Widgets" in any way 
$result = pg_execute($dbconn, "my_query", array("Joe's Widgets")); 

// Execute the same prepared query, this time with a different parameter 
$result = pg_execute($dbconn, "my_query", array("Clothes Clothes Clothes")); 
?> 

雖然它可能是注意到他們使用單引號（'）而不是雙引號（"）周圍的查詢字符串是有用的，那麼$1將不會意外插入到字符串中。