Dear friends, I am a little Cainiao. In practice, I found a statement similar to the following: {code ...} $ sid indicates the value passed from the front end. seller_item_classify indicates that the sid indicates a field name in the table. if the value passed by $ sid is exactly & #039; sid & #039; the SQL w... dear friends, I am a little Cainiao. In practice, I found that the statement is similar to the following:
SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ;
$ Sid indicates the value passed from the front end. seller_item_classify indicates that the sid indicates a field name in the table;
If the value passed by $ sid is 'Sid ', the SQL where statement becomes invalid, resulting in full table query;
Because in the production environment, the value of $ sid may be a numerical value or a char. Should I filter the value input at the front end in php?
What do you think of this question?
Reply content:
Dear friends, I am a little Cainiao. In practice, I found that the statement is similar to the following:
SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ;
$ Sid indicates the value passed from the front end. seller_item_classify indicates that the sid indicates a field name in the table;
If the value passed by $ sid is 'Sid ', the SQL where statement becomes invalid, resulting in full table query;
Because in the production environment, the value of $ sid may be a numerical value or a char. Should I filter the value input at the front end in php?
What do you think of this question?
"SELECT * FROM seller_item_classify where sid='$sid' order by cweight asc ;"
For front-end input values, the backend must be filtered. SQL preprocessing is recommended.
Add ''to all SQL condition values''
sid = '$sid'
As Alias
Good?
You can solve the problem by adding single quotes.
'Select * FROM seller_item_classify where sid = '. $ sid. 'Order by cweight asc ;'
Use pdo for preprocessing