dongzaotiao2863 2012-09-19 15:12
浏览 120
已采纳

PHP变量作为SQL查询中的表名

Can a PHP variable be used as a table name in an SQL query? In my case the PHP variable that goes after FROM should be the value being sent from my JQuery code. I want the SQL query to change based on the value sent from JQuery (different value depending on which option of the select box is chosen). 

$file_absolute = ---Placeholder for correct file path---;
include_once($file_absolute);
$mysql = new mysqli($db_host, $db_username, $db_password, $db_name);
$verb_value = $_POST['verb_value'];

$mysql->query("SET CHARACTER SET 'utf8'");

$result = $mysql->query("SELECT present_tense FROM $verb_value");
  • 写回答

2条回答 默认 最新

  • dounangshen6553 2012-09-19 15:14
    关注

    You can do this, yes. Whether you want it is quite another matter - if you're adding user input to your SQL queries, you've got a huge SQL injection hole.

    That said, with table names, you can implement a whitelist, and compare the passed values against that to get a measure of security.

    You can't pass table names (or column names) as bound parameters, though - they need to be generated as part of the query.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥50 永磁型步进电机PID算法
  • ¥15 sqlite 附加(attach database)加密数据库时,返回26是什么原因呢?
  • ¥88 找成都本地经验丰富懂小程序开发的技术大咖
  • ¥15 如何处理复杂数据表格的除法运算
  • ¥15 如何用stc8h1k08的片子做485数据透传的功能?(关键词-串口)
  • ¥15 有兄弟姐妹会用word插图功能制作类似citespace的图片吗?
  • ¥200 uniapp长期运行卡死问题解决
  • ¥15 latex怎么处理论文引理引用参考文献
  • ¥15 请教:如何用postman调用本地虚拟机区块链接上的合约?
  • ¥15 为什么使用javacv转封装rtsp为rtmp时出现如下问题:[h264 @ 000000004faf7500]no frame?