I understand that you cannot use database or table names as parameters in prepared statements. However, our app allows a user to specify the database name during the install. Is there an abstract or PDO provided way to quote these names (backticks for MySQL, brackets for MSSql, etc)?
1条回答 默认 最新
- dongpiaozhao6836 2019-02-14 12:00关注
You cannot directly escape column names and table names in PDO. You can see the answer here:
What you can do in this situation is to make a query to get all the tables from the given database, like this:
SHOW TABLES;
Or query to get all Databases like this one:
SHOW DATABASES;
Then use this as a white-list for the user input. When you're using databases, it's wise to exclude some system databases like
mysql
itself andinformation_schema
.Other option is to filter the user input with a given regex, for example if your table/database names are only strings with underscore you can use:
preg_match('/^[a-z_]+$/i', $userGivenTableName)
This should remove any potential strings containing SQL Injections.
解决 无用评论 打赏 举报
悬赏问题
- ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
- ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
- ¥16 mybatis的代理对象无法通过@Autowired装填
- ¥15 可见光定位matlab仿真
- ¥15 arduino 四自由度机械臂
- ¥15 wordpress 产品图片 GIF 没法显示
- ¥15 求三国群英传pl国战时间的修改方法
- ¥15 matlab代码代写,需写出详细代码,代价私
- ¥15 ROS系统搭建请教(跨境电商用途)
- ¥15 AIC3204的示例代码有吗,想用AIC3204测量血氧,找不到相关的代码。