In my SQL Queries I am submitting data from forms filled out by the user, and as shown here it is not possible to parameterize my column names with PDO. This is important because the column names in the query are inserted dynamically based on the field names in the form.
I can rather easily validate the column names submitted in the $_POST array by simply pulling them out of the database and throwing out any that don't match. Is this a good thing to do to avoid SQL injection or is simply a waste of system resources (as it effectively doubles the execution of any request that relies on the Database)?
是否有必要在提交SQL查询时验证列名?
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
分享- 邀请回答
-
3条回答 默认 最新
- doushi3819244 2012-04-12 05:30关注
Is this a good thing to do to avoid SQL injection
No.
or is simply a waste of system resources
No.
It cannot be a waste as it's just a simple select from the system table.
But it is still can be a some sort of injection when a user isn't allowed to some fields. Say, if there is an (imaginary) field "user_role" filled by site admin and a user will have a possibility to define it in the POST, they can alter their access privileges.
So, hardcoding (whitelisting) allowed fields is the only reliable way.
as it effectively doubles the execution of any request that relies on the Database
Man. Databases intended to be queried. It's the only their purpose. A database that cannot sustain a simple select query is a nonsense. Queries are different. An insert one is way more heavy than 10 selects. You have to distinguish queries by quality, not quantity.
the column names in the query are inserted dynamically based on the field names in the form.
Though for the insert/update queries it is quite true, for the SELECT ones it is a BIG SIGN of the bad design. I can stand variable field names in the WHERE/ORDER BY clauses but if you have to vem in the fieldset of table name clauses - your database design is wrong for sure.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报 分享
- 2012-04-11 22:35回答 3 已采纳 Is this a good thing to do to avoid SQL injection No. or is simply a waste of system reso
- 2022-05-12 23:41回答 2 已采纳 ;with t as (select aname,count() cts from cgs group by cts having count()=2)select cgs.* from t join
- 2018-01-02 02:37回答 9 已采纳 查询结果每行的列都必须是相同的,只能通过case when语句把不同类型的数据放到不同列中,如果说你的func(value)返回结果很多,建议把逻辑放在编程语言中,而不是数据库查询中
- 2017-03-30 11:58云草桑的博客 六十多条大数据优化建议。涉及到sqlserver和oracle的SQL语句。
- 2022-03-24 22:47回答 4 已采纳 SQL语句中列名不能带引号,带引号的会被识别为字符串。想要实现动态列update可以尝试字符串拼接的形式
- 2018-12-09 12:26回答 2 已采纳 Here I am not writing full PDO connection code. You can use below code/logic to get the return col
- 2021-10-17 16:40回答 1 已采纳 你的 s表以及 sc表中同时存在了 SNo字段 所以提示不明确 解决方法就是指定 就像你的条件s.SNo写法一样
- 2022-04-16 00:53大数据老司机的博客 文章目录一、概述 一、概述 Impala的服务端是一个分布式的、大规模并行处理(MPP:Massively ...不像hive,impala的服务端天然就是分布式的,在架构层面上,它在安装时就会跟DN计算节点放在一起。Impala官方文档 ...
- 2021-12-12 19:14回答 1 已采纳 select 原列名1 as 新列名1,原列名2 as 新列名2 from 表名
- 2022-03-31 17:24回答 5 已采纳 其实没有实际的标准明确定义多少数据量算大数据,不过阿里开发手册中建议,表数据超过500万条时,建议考虑分表,以防影响查询效率,不过我们公司也有单表超过几千万条的数据,效率确实不高,所以理论上百万级别以
- 2022-06-04 15:33回答 2 已采纳 SELECT sno, sname, sex, birthdayFROM student
- 2023-03-14 13:06five小点心的博客 sqoop (sql to hadoop)是一款开源的工具,主要用于在 Hadoop(Hive)与传统的数据库(mysql、postgresql...)间进行数据的传递,可以将一个关系型数据库(例如 : MSQL,Oracle,Postgres 等)中的数据导进到 Hadoop ...
- 2010-09-04 10:03回答 3 已采纳 1. Get column name in SQL Server For example: SELECT table_name=sysobjects.name, column_n
- 2023-08-29 19:51艾丽丝的爱情的博客 当我们在执行SQL查询时,如果查询语句中引用的列在任何表中都找不到,就会抛出"Column xxx not found in any table"的异常。列存在于不同的表中:如果查询语句中引用的列名在多个表中存在,但在当前的上下文中未指定...
- 2021-04-30 09:31人生谈数码的博客 提高SQL查询效率选择最优效率的表名顺序Oracle的解析器按照从右到左的顺序处理FROM子句中的表名,FROM子句中写在最后的表(基础表driving table)将被最先处理在FROM子句中包含多个表的情况下,你必须选择记录条数最少...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 孟德尔随机化结果不一致
- ¥20 求用stm32f103c6t6在lcd1206上显示Door is open和password:
- ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
- ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
- ¥15 谁有desed数据集呀
- ¥20 手写数字识别运行c仿真时,程序报错错误代码sim211-100
- ¥15 关于#hadoop#的问题
- ¥15 (标签-Python|关键词-socket)
- ¥15 keil里为什么main.c定义的函数在it.c调用不了
- ¥50 切换TabTip键盘的输入法