MySQL准备好的语句nvarchar
[英]MySQL prepared statement nvarchar
问题描述
I have a prepared statement which should update an field. 
我有准备好的声明,应该更新一个字段。
CREATE PROCEDURE `update_table` (in id INT, in col nvarchar(11), in val nvarchar(10))
BEGIN
SET @sql = concat('UPDATE table SET ', col, ' = ', val , ' WHERE id = ', id);
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END
If I call the procedure with a string containing a hyphen (eg AB) 如果我使用包含连字符的字符串(例如AB)来调用该过程
CALL update_table(1, 'reg', 'A-B');
I get 我懂了
Error 1054: Unknown column 'A' in 'field list'
Can you please assist in solving the issue? 您能协助解决问题吗?
Edit: I just figuered out the hyphen is not the cause of error. 编辑:我只是弄清楚连字符不是错误的原因。 If I try to update with 'AB', the same error comes up. 如果我尝试使用“ AB”进行更新,则会出现相同的错误。 The field to be updated is nvarchar as well with the same field length. 要更新的字段也是nvarchar,具有相同的字段长度。
1 个解决方案
解决方案1
4 已采纳 2016-09-19 20:14:41
You're vulnerable to sql injection attacks , basically. 基本上,您容易受到sql注入攻击 。 Your sproc generated this sql: 您的存储过程生成了此sql:
UPDATE ... WHERE reg = A-B
Note the lack of quotes around AB . 注意AB周围缺少引号。 You're not storing the string AB in the reg field. 您没有将字符串AB存储在reg字段中。 You're doing mathematical subtraction: reg = A minus B , and neither A nor B are fields that exist in your table. 您正在做数学减法: reg = A minus B ,并且表中不存在A和B字段。
At BARE minimum you'd need: 至少需要BARE,您需要:
SET @sql = concat('UPDATE table SET ', col, ' = "', val , '" WHERE id = ', id);
^----------^
so you're generating 所以你正在产生
UPDATE ... reg = "A-B"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.