使用Jquery选择SQL表列-SQL注入?
[英]Selecting SQL table column with Jquery - SQL injection?
问题描述
I'm looking for a bit of advice on which method is more secure and efficent to use. 
我正在寻找有关哪种方法更安全,更有效地使用的建议。
OPTION A: I have a database named calendar, and 12 tables in it - "January", "February" etc. Each month has it's own .php page with "select * from jan" etc. I have a dropdown menu, which when the user selects for example "January" I have an ajax script that then loads jan.php into the div "currentmonth" 选项A:我有一个名为Calendar的数据库,其中有12个表-“ January”,“ February”等。每个月都有它自己的.php页面,带有“ select * from jan”等。我有一个下拉菜单,当用户选择例如“ January”,我有一个ajax脚本,然后将jan.php加载到div“ currentmonth”中
What I was thinking of doing, because along with the "currentmonth" div, I've also got a "recentlyadded" div showing the last 3 entries sorted by their timestamp. 我当时想做的是,因为除了“ currentmonth” div外,我还拥有一个“ recentlyadded” div,它显示了按时间戳排序的最后3个条目。 I'm not sure how I could show the 3 most recently added entries in the whole database, so I tried option B. 我不确定如何显示整个数据库中最近添加的3个条目,因此我尝试了选项B。
OPTION B: I have one table called calendar, and each row has a column called month. 选项B:我有一个称为日历的表,每一行都有一个称为月的列。 This made it more simple for display the recently added, but I'm not sure how to go about implementing the dropdown menu. 这样可以更轻松地显示最近添加的内容,但是我不确定如何实现下拉菜单。 From what I've read the idea I have can leave me open to sql injection. 从我已经读过的想法中,我可以让我接受sql注入。
Here's the idea: I have a jquery variable called "selectedmonth" which is equal to the value of the selected month. 这是一个想法:我有一个名为“ selectedmonth”的jquery变量,它等于所选月的值。 I then want to take that variable... for example, user selects "January" the value is "jan", and I want the sql statement to then update with SELECT * FROM calendar WHERE months = "jan", but as I said, I hear this can leave me wide open to SQL injection. 然后,我想使用该变量...例如,用户选择“ January”,值是“ jan”,然后我想用SELECT * FROM calendar WHERE months =“ jan”来更新sql语句,但是正如我所说,我听说这可以让我对SQL注入敞开大门。
Is there anyway to dynamically update the SQL statement, maybe with AJAX or JSON? 无论如何,是否可以使用AJAX或JSON动态更新SQL语句? Is there a way to do OPTION B without leaving myself open to SQL injection? 有没有一种方法可以做选项B,而又不让我自己接受SQL注入? Or is there an easier way for me to use OPTION A, and be able to find the 3 most recent added rows in the entire database? 还是我可以使用一种更简单的方法来使用选项A,并且能够找到整个数据库中最近添加的3行?
The one thing I'm wondering though is with option A, I would obviously have 12 "month".php files, will that add a lot to page load times? 我想知道的一件事是选项A,我显然会有12个“ month” .php文件,这会增加页面加载时间吗?
Any advice would be greatly appreciated. 任何建议将不胜感激。
1 个解决方案
解决方案1
0 2015-01-20 01:42:49
Use prepared statements and you should be fine. 使用准备好的语句,您应该没事。 The second option is preferable, the first is not a good idea... 第二个选择是可取的,第一个不是一个好主意...
All you have to do is something like: 您所要做的就是:
$row = $conn->prepare("SELECT * FROM calendar WHERE months = ?");
$row->bind_param('s', $_GET['month']);
$row->execute();
$row = $row->get_result();
And you'll be SQL injection-free. 而且您将无需进行SQL注入。 Read more here. 在这里阅读更多。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.