这里是新手。我一直在研究 SQLSVR 如何利用准备好的语句来防止注入，但它们所防止的通常是查询本身，而不是诸如存储过程之类的东西。我当前的代码是否可以避免这种情况？

我一直在尝试理解这里的 PHP 手册：https://www.php.net/manual/en/function.sqlsrv-query.php但我不太确定这会是什么样子，因为我正在使用存储过程。

感谢您花时间阅读本文和指导。

<?php 

include('config.php');

$mysqli = sqlsrv_connect($serverName, $conn_array);

// For error or success messages place the following functions in your functions.php file and include the file here.

// The following functions are based on bootstrap classes for error and success message. If you are not using bootstrap you can stylize your own.

function alertSuccess($msg){

  $alert = "<div class='alert alert-success'>".$msg."</div>";

  return $alert;

}

function alertError($msg){

  $alert = "<div class='alert alert-danger'>".$msg."</div>";

  return $alert;

}

function alertInfo($msg){

  $alert = "<div class='alert alert-info'>".$msg."</div>";

  return $alert;

}

// Storing Form Inputs

$username = ($_POST['username']);

$email = ($_POST['email']);

$region =($_POST['region']);

$password = (!empty($_POST['password']))?$_POST['password']:null;

$password2 = (!empty($_POST['confirmpassword']))?$_POST['confirmpassword']:null;

if(isset($_POST['register'])) {

  // Set "Creating Account" message. 

  echo alertInfo("Attempting to initiate Account Creation...");

  // If username is null then rest of the code will not be executed

  if($username == null){

    echo alertError("Invalid username!");

    header("Location: failed.php");

    exit();

  }

  // If password is not equal then rest of the code will not be executed

  if($password != $password2){

    echo alertError("Password mismatch");

    header("Location: failed.php");

    exit();

  }

  // If username is less than 6 characters long then rest of the code will not be executed

  if(strlen($username) < 6){

    echo alertError("Username must contain at least 6 characters.");

    header("Location: failed.php");

    exit();

  }

  if($region > 2){

    echo alertError("Invalid Region.");

    header("Location: failed.php");

    exit();

  }