如何使用動態表名防止SQL注入?我這次討論的名聲很高PHP蓋伊:PDO在這里沒用。以及MySQL_REAL_EXECH_String。質量極差。這當然很酷,但我真的不知道建議使用mysql_real_escape_string或PDO修復此代碼:<script type="text/javascript">
var layer;
window.location.href = "example3.php?layer="+ layer; <?php //Make a MySQL connection
$query = "SELECT Category, COUNT(BUSNAME)
FROM ".$_GET['layer']." GROUP BY Category";
$result = mysql_query($query) or die(mysql_error());變成這樣$layer = mysql_real_escape_string($_GET['layer']);$query = "SELECT Category, COUNT(BUSNAME)
FROM `".$layer."` GROUP BY Category";考慮到JavaScript代碼得到客戶端發送。
3 回答
嚕嚕噠
TA貢獻1784條經驗 獲得超7個贊
$allowed_tables = array('table1', 'table2');$clas = $_POST['clas'];if (in_array($clas, $allowed_tables)) {
$query = "SELECT * FROM `$clas`";}
慕標5832272
TA貢獻1966條經驗 獲得超4個贊
'...FROM `' . str_replace('`', '``', $tableName) . '`...'mysql_real_escape_stringaddslashes
添加回答
舉報
0/150
提交
取消