我使用预处理语句主要是为了防止SQL注入。现在我还需要过滤一个ENUM
类型。但是我应该如何在准备好的语句中使用它来维护安全性呢?
我有一个地址表,需要过滤用户的发票地址。我怎么做才能保证安全?还是无所谓?
我能想到两个选择。"Invoice">
public function getCustomerInvoiceAddresses($customerNumber)
{
$query = 'SELECT contactPerson, company, street, zipCode, city, deliveryMethod
FROM address
where FK_customerNumber = ?
AND addressType = ?';
$paramType = 'is';
$paramValue = array(
$customerNumber,
"Invoice"
);
$invoiceAddressArray = $this->ds->select($query, $paramType, $paramValue);
return $invoiceAddressArray;
}
SELECT
中的发票public function getCustomerInvoiceAddresses($customerNumber)
{
$query = 'SELECT contactPerson, company, street, zipCode, city, deliveryMethod
FROM address
where FK_customerNumber = ?
AND addressType = "Invoice"';
$paramType = 'is';
$paramValue = array(
$customerNumber
);
$invoiceAddressArray = $this->ds->select($query, $paramType, $paramValue);
return $invoiceAddressArray;
}
或者我应该传递字符串"Invoice"当我调用函数的时候?
$invoiceAddresses = $customer->getCustomerInvoiceAddresses($customerNumber, "Invoice");
如果您正在解析数据并使用prepare语句,我不相信SQL注入会发生。所以我会使用最灵活的选择,使用
$invoiceAddresses = $customer->getCustomerInvoiceAddresses($customerNumber, "Invoice");
将函数重命名为getCustomerAddresses