如何使用动态表名防止SQL注入?我这次讨论的名声很高PHP盖伊:PDO在这里没用。以及MySQL_REAL_EXECH_String。质量极差。这当然很酷,但我真的不知道建议使用mysql_real_escape_string或PDO修复此代码:<script type="text/javascript">
var layer;
window.location.href = "example3.php?layer="+ layer; <?php //Make a MySQL connection
$query = "SELECT Category, COUNT(BUSNAME)
FROM ".$_GET['layer']." GROUP BY Category";
$result = mysql_query($query) or die(mysql_error());变成这样$layer = mysql_real_escape_string($_GET['layer']);$query = "SELECT Category, COUNT(BUSNAME)
FROM `".$layer."` GROUP BY Category";考虑到JavaScript代码得到客户端发送。
3 回答
噜噜哒
TA贡献1784条经验 获得超7个赞
$allowed_tables = array('table1', 'table2');$clas = $_POST['clas'];if (in_array($clas, $allowed_tables)) {
$query = "SELECT * FROM `$clas`";}
慕标5832272
TA贡献1966条经验 获得超4个赞
'...FROM `' . str_replace('`', '``', $tableName) . '`...'mysql_real_escape_stringaddslashes
添加回答
举报
0/150
提交
取消