替换 sql server 查询以保护 PDO 查询

Question

我尝试将我的非安全查询替换为 PDO（防止 SQL 注入），但我不相信自己在做什么。 我有数据库连接文件：

<?php
$serverName ="db_name\SQLEXPRESS";
 $usr="sa";
 $pwd="SysAdmin1";
 $db="DB"; 
$connectionInfo = array("UID" => $usr, "PWD" => $pwd, "Database" => $db);
$conn = sqlsrv_connect($serverName, $connectionInfo);
?>

还有我的查询文件：

require_once 'db_file.php';
$place=$_POST['place'];
$name=$_POST['name'];
$sql_user = "SELECT * FROM users WHERE name='$name' and place= '$place' ";
$res = sqlsrv_query($conn,$sql_user);
$row = sqlsrv_fetch_array($res);

它工作正常但不安全。我尝试替换为：

$sql_user = $conn -> prepare ("SELECT * FROM users WHERE name = :name and place = :place");  
$sql_user -> execute (array(':name => '$name' ,  :place => '$place''));
$row = $sql_user -> fetch();

我有错误解析错误：语法错误，意外的 T_VARIABLE，期待 ')'。我读了很多关于那个的帖子，但没有支持我做得好还是没有？因为有时查询中的变量是 :name 有时只是？

Answer 1

这对我有用：

# connect
try{
    //$pdo = new PDO("sqlsrv:Server=$hostname;Database=$dbname;", $username, $password);  // works with proper driver for PHP.
    $pdo = new PDO("odbc:Driver={SQL Server};Server=$hostname;Database=$dbname;", $username, $password);  // works with proper driver for ODBC and PHP ODBC.
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    ini_set('mssql.charset', 'UTF-8');  // allow Chinese names.
}catch(PDOException $e){
    die("Error connecting to $hostname SQL: ".$e->getMessage());
}

# read
$sql = "SELECT name FROM employees ORDER BY 1";
$stmt = $pdo->prepare($sql);
$stmt->execute();
while($row = $stmt->fetch()){
    echo $row[1]."<br>";
}

# write
try{
    $sql = "INSERT INTO employees(name)
            VALUES (:name)";
    $stmt = $pdo->prepare($sql);
    $stmt->bindValue(':name', $new_employee);
    $stmt->execute();
}catch(PDOException $e){
    echo "Could not add employee $new_employee!";
}

More tutorials