In SQL, condition fields and table field names are the same, resulting in full table query.

Dear friends, I am a little Cainiao. In practice, I found a statement similar to the following: {code ...} $ sid indicates the value passed from the front end. seller_item_classify indicates that the sid indicates a field name in the table. if the value passed by $ sid is exactly & #039; sid & #039; the SQL w... dear friends, I am a little Cainiao. In practice, I found that the statement is similar to the following:

SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ;

$ Sid indicates the value passed from the front end. seller_item_classify indicates that the sid indicates a field name in the table;
If the value passed by $ sid is 'Sid ', the SQL where statement becomes invalid, resulting in full table query;

Because in the production environment, the value of $ sid may be a numerical value or a char. Should I filter the value input at the front end in php?

What do you think of this question?

Reply content:

Dear friends, I am a little Cainiao. In practice, I found that the statement is similar to the following:

SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ;

$ Sid indicates the value passed from the front end. seller_item_classify indicates that the sid indicates a field name in the table;
If the value passed by $ sid is 'Sid ', the SQL where statement becomes invalid, resulting in full table query;

Because in the production environment, the value of $ sid may be a numerical value or a char. Should I filter the value input at the front end in php?

What do you think of this question?

"SELECT * FROM seller_item_classify where sid='$sid' order by cweight asc ;"

For front-end input values, the backend must be filtered. SQL preprocessing is recommended.

Add ''to all SQL condition values''

sid = '$sid'

As AliasGood?

You can solve the problem by adding single quotes.

'Select * FROM seller_item_classify where sid = '. $ sid. 'Order by cweight asc ;'
Use pdo for preprocessing