duanbohan2015 2019-02-14 11:55
浏览 46

PHP PDO保护数据库名称

I understand that you cannot use database or table names as parameters in prepared statements. However, our app allows a user to specify the database name during the install. Is there an abstract or PDO provided way to quote these names (backticks for MySQL, brackets for MSSql, etc)?

  • 写回答

1条回答 默认 最新

  • dongpiaozhao6836 2019-02-14 12:00
    关注

    You cannot directly escape column names and table names in PDO. You can see the answer here:

    escaping column name with PDO

    What you can do in this situation is to make a query to get all the tables from the given database, like this:

    SHOW TABLES;

    Or query to get all Databases like this one:

    SHOW DATABASES;

    Then use this as a white-list for the user input. When you're using databases, it's wise to exclude some system databases like mysql itself and information_schema.

    Other option is to filter the user input with a given regex, for example if your table/database names are only strings with underscore you can use:

    preg_match('/^[a-z_]+$/i', $userGivenTableName)

    This should remove any potential strings containing SQL Injections.

    评论

报告相同问题?

悬赏问题

  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私
  • ¥15 ROS系统搭建请教(跨境电商用途)
  • ¥15 AIC3204的示例代码有吗,想用AIC3204测量血氧,找不到相关的代码。