PHP在表名中从mysql_real_escape_string更改为PDO [duplicate]

This question already has an answer here:

Can PHP PDO Statements accept the table or column name as parameter? 7 answers

I currently use mysql_real_escape_string to escape variable in mysql query. I know how to use bindValue, but I have a question about protection when I'm trying to insert table name from variable. For example

$tablename = mysql_real_escape_string($name_from_form);
$get = mysql_query("SELECT * FROM ".$tablename." WHERE keyword='something'");

Can anybody help me with an example of how to do PDO prepared statements which will do the same as above?

</div>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dsvs50005 2014-01-24 13:18
关注
You won't be able to escape the table name (I hope that $tablename isn't coming from an outside source - If it is, you will need to whitelist what table names are allowed). In PDO, your code could look something like:

$allowedTables = array('posts', 'users'); if(!in_array($tablename, $allowedTables)){ throw new Exception('Invalid table name: ' . $tablename); } $keyword = 'something'; $stmt = $dbh->prepare("SELECT * FROM " . $tablename . " WHERE keyword = :keyword"); $stmt->bindParam(':keyword', $keyword); $stmt->execute();
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

使用mysql_real_escape_string的速度 mysql php
2014-04-03 21:28

回答 2 已采纳 The mysql_real_escape_string() already searches the string for apostrophes and other characters, a
php加倍\字符（打破mysql_real_escape_string，PDO->引用等）[重复] mysql php
2014-10-19 22:49

回答 2 已采纳 You need to turn off magic_quotes_gpc parameter in your php.ini config. http://php.net/manual/en/
没有mysql_real_escape_string和bindValue的PDO php
2013-07-23 15:11

回答 2 已采纳 No, this is not safe. PDO doesn't magically escape your queries for you. Your code, as shown, is
关于php前台表单是数组_提交到后台循环插入数据库的问题,关于php：这是一种将表单数据插入MySQL数据库的安全方法吗？...
2021-04-22 18:36

weixin_39969006的博客 Possible Duplicate:Best way to stop SQL Injection in PHP这是w3schools.org上的示例：HTML表单：Firstname: Lastname: Age: 插入：PHP:$con = mysql_connect("localhost","peter","abc123");if (!$con){die...
我应该使用htmlentities还是mysql_real_escape_string [关闭] mysql php sql
2013-01-12 18:40

回答 2 已采纳 The two do entirely different things. One escapes data for putting into a SQL statement (which is
mysql_query转换为PDO或mysqli寻找示例 mysql php
2015-06-27 10:36

回答 1 已采纳 this helps you using mysqli: $con = mysqli_connect("localhost",$username,$password,$dbname); $f
mysql_real_escape_string和html_special_chars够了吗？ php
2012-01-31 06:54

回答 3 已采纳 Sam, if you are storing the input in a database, to avoid SQL injection and XSS then those two fun
mysql原始文件_避免原始MySQL扩展，第1部分
2020-08-12 16:19

culi3118的博客 mysql原始文件Experienced developers eschew the original MySQL extension because of its abandoned status in PHP. Nascent web developers, however, may be completely oblivious to its dormant past and ...
mysql_到pdo：我做得对吗？ mysql php
2017-06-29 10:43

回答 2 已采纳 You'we almost correct, you just missed the point of prepare() <?php // New PDO variant try
PHP：从mysql_connect（）PDO重用开放的MySQL连接？ mysql php
2013-01-04 03:12

回答 2 已采纳 I am just curious to see if there is a way to transfer a connection opened by mysql_connect() t
将MYSQL_转换为PDO错误 php
2017-01-26 22:16

回答 2 已采纳 Take a look at this line: $userkey = $_GET['api']; And this line: ':userKey' => $userKey,
防止 SQL 注入的 PHP MySQLi 准备语句教程
2022-08-21 13:01

allway2的博客这可能看起来很奇怪，为...需要注意的是，这需要 mysqlnd，它从 5.3 开始就包含在 PHP 中，并且从 5.4 开始一直是默认的本地驱动程序，MySQLi 独有的一个很棒的功能，在 PDO 中不存在，它可以获取有关查询的更多信息。
PHP连接SQL SERVER 数据库 PHP连接MYSQL数据库并解决中文乱码问题。
2017-10-16 14:23

zuiliannvshen的博客 PHP连接SQL SERVER或者MYSQL 过程都是差不多的。上次写了连接代码，其实还有前置准备工作。这次补上。主要参考文献： http://blog.csdn.net/xiaozhegaa/article/details/53741623 这里已经写的很详细了。首先...
PHP Apache Mysql搭建
2011-09-10 09:02

马如林的博客安装apache、下载PHP和安装Mysql httpd.conf # # This is the main Apache HTTP server configuration file. It contains the # configuration directiv
php sql 避免重复,防止重复输入sql php - php
2021-05-08 03:52

Java架构月亮的博客与 $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $email = mysql_real_escape_string($_POST['email']); 在您开始使用准备好的语句之前...
PHP7.27: MySqlhelper class
2019-07-13 02:32

weixin_30709635的博客 https://github.com/ThingEngineer/PHP-MySQLi-Database-Class...https://github.com/wildantea/php-pdo-mysql-helper-class MysqliDb.php <?php /** * MysqliDb Class * * @category Database Access...
laragon环境安装新的php版本后弹出php startup
2016-06-17 09:24

任聪聪的博客文件中修改 extension_dir配置就行。把； extension_dir = “ext” ；改成： extension_dir = “D:/myphpenv/php5.4/ext” 其中D:/myphpenv/php5.4/为php安装目录。重启apache发现警告没有了。这个...
php5.4.45的php.ini文件
2016-06-17 09:29

任聪聪的博客复制下面的内容到文件里，需要修改加载路径，别忘咯！[PHP];;;;;;;;;;;;;;;;;;; ; About php.ini ; ;;;;;;;;;;;;;;;;;;; ; PHP's initialization file, generally called php.ini, is responsible for ; ...
PHP 函数大全
2018-03-02 18:48

且听海啸的博客 a函数说明abs 绝对值acos 反余弦acosh 反双曲余弦addcslashes 以 C 语言风格使用反斜线转义字符串中的字符addslashes 使用反斜线引用字符串apache_child_terminate 在本次请求结束后终止 apache 子进程...
iis apache php mysql 配置的php.ini
2010-11-11 17:03

xiang37的博客 [PHP] ;;;;;;;;;;; ; WARNING ; ;;;;;;;;;;; ; This is the default settings file for new PHP installations. ; By default, PHP installs itself with a configuration suitable for ; development purpo...
没有解决我的问题, 去提问

悬赏问题

¥15 如何让企业微信机器人实现消息汇总整合
¥50 关于#ui#的问题：做yolov8的ui界面出现的问题
¥15 如何用Python爬取各高校教师公开的教育和工作经历
¥15 TLE9879QXA40 电机驱动
¥20 对于工程问题的非线性数学模型进行线性化
¥15 Mirare PLUS 进行密钥认证？（详解）
¥15 物体双站RCS和其组成阵列后的双站RCS关系验证
¥20 想用ollama做一个自己的AI数据库
¥15 关于qualoth编辑及缝合服装领子的问题解决方案探寻
¥15 请问怎么才能复现这样的图呀

PHP在表名中从mysql_real_escape_string更改为PDO [duplicate]

1条回答 默认 最新

悬赏问题

1条回答默认最新