$sqlLink = init_mysql();$stmt = $sqlLink->stmt_init()$sql = 'SELECT ? FROM ?;';$stmt->prepare($sql);$stmt->bind_param("ss",'colA','tableA');$stmt->execute();Q2:參數化防止注入,如何進行模糊查詢?
1.sql = 'SELECT * FROM tableA WHERE col LIKE \'%?%\'';
2.sql = "SELECT * FROM tableA WHERE col LIKE '%?%'";
3.sql = 'SELECT * FROM tableA WHERE col LIKE \'%'.'?'.'%\'';
以上方式我經過嘗試都不能使用,請問帶%模糊查詢如何書寫SQL的prepare語句?
有一種可行的方式如下:
sql = 'SELECT * FROM tableA WHERE col LIKE \'%'.$string.'%\'';
但是失去了防注入的意義,請問有沒有正確的方式給予我引導?:-D
Q1:以下代碼是正確的嗎?即表名和列名也可以用參數化匯入嗎?
$sqlLink = init_mysql();$stmt = $sqlLink->stmt_init()$sql = 'SELECT ? FROM ?;';$stmt->prepare($sql);$stmt->bind_param("ss",'colA','tableA');$stmt->execute();Q2:參數化防止注入,如何進行模糊查詢?
1.sql = 'SELECT * FROM tableA WHERE col LIKE \'%?%\'';
2.sql = "SELECT * FROM tableA WHERE col LIKE '%?%'";
3.sql = 'SELECT * FROM tableA WHERE col LIKE \'%'.'?'.'%\'';
以上方式我經過嘗試都不能使用,請問帶%模糊查詢如何書寫SQL的prepare語句?
有一種可行的方式如下:
sql = 'SELECT * FROM tableA WHERE col LIKE \'%'.$string.'%\'';
但是失去了防注入的意義,請問有沒有正確的方式給予我引導?:-D
原來的prepare引入的目的,是為了先行編譯,產生執行計畫,從而提高效能。本意可不是為了防止sqlinject。如果table都沒有了,是無法先行編譯的。就沒有意義了。
涉及到的是 PHP Binding a Wildcard 的知識。
補充:如果不bind parameter。可以直接拼接字串。對引入的參數,都做一個escape就安全了。(函數: mysql_real_escape_string)
$db = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD, $pdo_options);$query = $database->prepare('SELECT * FROM table WHERE name LIKE :name');$query->bindValue(':name', '%'.$name.'%', PDO::PARAM_STR);$query->execute();while ($results = $query->fetch()){ echo $results['name'];}Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
