douweng1935 2018-12-12 15:21
浏览 99
已采纳

sql查询中这个〜*语法的功能是什么?

I am trying to understand a script to implement new functions and options. In order to search in sql tables they used the following syntax 

$sqlquery = "SELECT DISTINCT \"Name\", \"FileName\", \"Status\", lower(\"Name\") FROM \"" . $SearchedTable . "\" WHERE ";

$sqlquery=$sqlquery." (\"Name\" ~* '".$text[$i]."' OR \"DNA\" ~* '".$text[$i]."')";
  • What I would like to know is why they use \"Name\" (I read somewhere that it has something to do with sql injections).
  • I also couldn't find the reason why to use this syntax ~* instead of =. Or does it means something else?
  • 写回答

1条回答 默认 最新

  • dongyi6668 2018-12-12 15:26
    关注

    General note: Your current query uses string concatenation, and therefore is prone to SQL injection. The best fix on your PHP side would be to use a prepared statement.

    That being said, your SQL syntax appears to be Postgres, not MySQL. Here is the rough query:

    SELECT DISTINCT Name, FileName, Status, lower(Name)
FROM yourTable
WHERE Name ~* ? OR DNA ~* ?;

    The ~* operator in Postgres does case insensitive regex matching. So, for example, to match any Name which starts with mi, you could use:

    WHERE Name ~* '^mi'

    Therefore, what you should be binding to the two placeholders are regular expressions.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?