原来,表名和字段名不能在pdo中“参数化查询”
Please see the following: http://us3.php.net/manual/en/book.pdo.php#69304
Table and Column names cannot be replaced by parameters in PDO.
In that case you will simply want to filter and sanitize the data manually. One way to do this is to pass in shorthand parameters to the function that will execute the query dynamically and then use a switch() statement to create a white list of valid values to be used for the table name or column name. That way no user input ever goes directly into the query. So for example:
function buildQuery( $get_var )
{
switch($get_var)
{
case 1:
$tbl = 'users';
break;
}
$sql = "SELECT * FROM $tbl";
}
By leaving no default case or using a default case that returns an error message you ensure that only values that you want used get used.
-----------------------------
To understand why binding a table (or column) name doesn't work, you have to understand how the placeholders in prepared statements work: they are not simply substituted in as (suitably escaped) strings, and the resulting SQL executed. Instead, a DBMS asked to "prepare" a statement comes up with a complete query plan for how it would execute that query, including which tables and indexes it would use, which will be the same regardless of how you fill in the placeholders.
The plan for SELECT name FROM my_table WHERE id = :value will be the same whatever you substitute for :value, but the seemingly similar SELECT name FROM :table WHERE id = :valuecannot be planned, because the DBMS has no idea what table you're actually going to select from.
This is not something an abstraction library like PDO can or should work around, either, since it would defeat the 2 key purposes of prepared statements: 1) to allow the database to decide in advance how a query will be run, and use the same plan multiple times; and 2) to prevent security issues by separating the logic of the query from the variable input.
原来,表名和字段名不能在pdo中“参数化查询”的更多相关文章
- SQL Server 2008 R2——根据数据查找表名和字段名 根据脏数据定位表和字段
=================================版权声明================================= 版权声明:原创文章 谢绝转载 请通过右侧公告中的“联系邮 ...
- mybatis动态调用表名和字段名
以后慢慢启用个人博客:http://www.yuanrengu.com/index.php/mybatis1021.html 一直在使用Mybatis这个ORM框架,都是使用mybatis里的一些常用 ...
- SQL 查询所有表名、字段名、类型、长度、存储过程、视图
-- 获得存储过程创建语句 select o.xtype,o.name,cm.text from syscomments cm inner join sysobjects o on o.id=cm.i ...
- sqlserver查询所有表名、字段名、类型、长度和存储过程、视图的创建语句
-- 获得存储过程创建语句 select o.xtype,o.name,cm.text from syscomments cm inner join sysobjects o on o.id=cm.i ...
- Oracle 查询库中所有表名、字段名、字段名说明,查询表的数据条数、表名、中文表名、
查询所有表名:select t.table_name from user_tables t;查询所有字段名:select t.column_name from user_col_comments t; ...
- oracle的表名、字段名、constraint名的长度限制分别是多少?
文章出处:http://blog.csdn.net/haiross/article/details/38379615 Oracle:表名.字段名.constraint名的长度有限制 oracle 的命 ...
- ibatis动态的传入表名、字段名
ibatis动态的传入表名.字段名,主要传入表名和字段名的不一致. Java代码: Map<String,Object> params = new HashMap<String,Ob ...
- SQL查询表,表的所有字段名,SQL查询表,表的所有字段名
SQL查询表,表的所有字段名 2011-07-29 10:21:43| 分类: SQLServer | 标签:表 sql 字段 |举报 |字号 订阅 SQL查询表,表的所有字段名 SQ ...
- SQL添加表字段以及SQL查询表,表的所有字段名
通用式: alter table [表名] add [字段名] 字段属性 default 缺省值 default 是可选参数 增加字段: alter table [表名] add 字段名 smalli ...
随机推荐
- uva1608 Non-boring sequences
某个序列找到唯一元素后,判断被分成的两边的序列即可问题在于找到唯一元素连续序列,重复元素的问题:感觉很有一般性 查找相同元素用map,last,next存上一个相同元素的位置复杂度计算有点思考:记录l ...
- vscode F12 不能用,原来是快捷键冲突了。
vscode F12 不能用,原来是快捷键冲突了.
- 一个Lucene.Net的Demo
今天突然想来看一下全文检索,于是就了解了一下Lucene.Net,然后把公司目前的产品表拿来练手,写了这么个Demo. 先看一下Demo的代码 public class ProductReposito ...
- stay hungry stay foolish.
I am honored to be with you today at your commencement from one of the finest universities in the wo ...
- Vickers Vane Pump - Hydraulic Vane Pump Failure: Cavitation, Mechanical Damage
One of our readers recently wrote to me about the following questions: “Recently, we purchased a sec ...
- IIS实现HTTPS的主机名绑定
默认情况下,IIS中HTTPS 绑定是无法指定主机名的解决办法:通过手工修改 IIS 配置来实现主机头绑定.打开如下位置的文件. C:\Windows\system32\inetsrv\config\ ...
- vue获取v-model数据类型boolean改变成string
问题描述 今天产品问我一线上bug,怎么radio类型改不了 问题分析 看代码,之前的哥们儿是怎么写的 //页面 <div class="ui-form-box"> & ...
- luogu P1008 三连击
题目背景 本题为提交答案题,您可以写程序或手算在本机上算出答案后,直接提交答案文本,也可提交答案生成程序. 题目描述 将1,2,…,9共9个数分成三组,分别组成三个三位数,且使这三个三位数构成1:2: ...
- [模板] Exgcd
求解一组ax+bc=gcd(a,b) #include<iostream> #include<cstdio> using namespace std; int exgcd(in ...
- Vijos 1308 埃及分数(迭代加深搜索)
题意: 输入a.b, 求a/b 可以由多少个埃及分数组成. 埃及分数是形如1/a , a是自然数的分数. 如2/3 = 1/2 + 1/6, 但埃及分数中不允许有相同的 ,如不可以2/3 = 1/3 ...