问题描述

我有一些使用PLACEHOLDER输入的HANA查询，当然我想防止SQL注入.

I have some HANA queries which use PLACEHOLDER input and of course I want to prevent an sql injection.

我尝试在odbc_prepare()

$query = <<<SQL
SELECT
    col,
    ...
FROM table_name('PLACEHOLDER'=('$$some_key$$', ?))
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);

if ($stmt !== false) {
    \odbc_execute($stmt, ['placeholder_value', 'where_value']);
}

但我收到此警告:

Warning: odbc_prepare(): SQL error: [SAP AG][LIBODBCHDB SO][HDBODBC] Syntax error or access violation;257 sql syntax error: incorrect syntax near "?": line 32 col 40 (at pos 1283), SQL state 37000 in SQLPrepare

并且未创建语句.所以我的代码现在看起来像这样:

and statement wasn't created. So my code now looks like this:

$query = <<<SQL
SELECT
    col,
    ...
FROM table_name('PLACEHOLDER'=('$$some_key$$', 'placeholder_value'))
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);

if ($stmt !== false) {
    \odbc_execute($stmt, ['where_value']);
}

据我所见，此处 htmlspecialchars()不足以阻止SQL注入.

As I see here htmlspecialchars() is not enough to prevent an SQL injection.

我无法删除输入占位符，我不拥有HANA.

I can't remove input placeholder, I don't own HANA.

还有其他方法可以防止在PLACEHOLDER中进行SQL注入吗?

Is there any other way to prevent SQL injection in PLACEHOLDER?

推荐答案

此处使用的(旧)占位符语法('PLACEHOLDER'=('<varname>', '<var value>'))不允许使用绑定变量.

The (old) placeholder syntax ('PLACEHOLDER'=('<varname>', '<var value>')) you're using here does not allow for bind variables.

相反，新的占位符语法(PLACEHOLDER."<varname>"=>?)允许使用绑定变量.

Instead, the new placeholder syntax (PLACEHOLDER."<varname>"=>?) allows using bind variables.

在您的代码中，它看起来像这样:

In your code this would look like this:

$query = <<<SQL
SELECT
    col,
    ...
FROM table_name (PLACEHOLDER."$$some_key$$" => ?)
WHERE col = ?
SQL;
$stmt = \odbc_prepare($conn, $query);

这篇关于如何从HANA占位符转义SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！