[英]php files on the fly
In PHP, If i have this assign: 在PHP中,如果我有此分配:
$link = 'Home';
And in another php section i need to grab the value of $link and insert it in a MYSQL query in plain text, like this: 在另一个php部分中,我需要获取$ link的值,并将其插入纯文本的MYSQL查询中,如下所示:
$sql = "SELECT txt FROM Home WHERE id = 1";
Note that $link has been written in the format of it's value in the query. 请注意,$ link已以其在查询中的值格式写入。 Basically i need to see the inside of the $link var and write it down on the query.
基本上,我需要查看$ link var的内部并将其记录在查询中。
Why i need this -> because i'm creating php files on the fly after the click of a submit button. 为什么我需要这个->因为单击提交按钮后我正在动态创建php文件。 And inside of the newly created file is a tinymce text editor that needs to read it's text contents from a table that was also created on the fly along with this file.
在新创建的文件中,有一个tinymce文本编辑器,该编辑器需要从一个表中读取文本内容,该表也是随该文件一起动态创建的。
您想要这样的东西吗?
$sql = "SELECT txt FROM ".$link." WHERE id = 1";
What you want to do is this: 您要做的是:
$sql = "SELECT txt FROM $link WHERE id = 1";
^ ^ ^
The double-quotes ( "
) specify that the string has to be interpreted (with single quotes this won't work). Inside the string you can then write the name of the variable ( $link
) and it will be "supplanted" by its value. 双引号(
"
)指定必须对字符串进行解释(单引号将不起作用)。然后在字符串内可以写入变量的名称( $link
),然后将其替换为它的价值。
I would'nt recommend doing this because it is vulnerable to SQL-injection and it is a very very bad practice that show that you do things in an uncommon way. 我不建议您这样做,因为它很容易受到SQL注入的影响,并且这是非常非常糟糕的做法,它表明您以一种不常见的方式进行操作。 Better avoid it!
最好避免它!
EDIT : even worse... 编辑 :更糟糕的是...
When you say in a comment creates a mysql table with the name of the file that's an even worse thing to do. 当您在评论中说时,使用文件名创建一个mysql表,这是一件更糟糕的事情。 First, not all characters in a filename should go into a table name.
首先,不是文件名中的所有字符都应输入表名。 Second, you can get litearlly anything as a filename, even things that are not actual filenames.
其次,您可以获取所有东西作为文件名,即使不是实际文件名的东西也可以。
It is possible to forge a HTTP request so that the filename is an arbitrary string of your liking, for example: 可以伪造一个HTTP请求,以便文件名是您喜欢的任意字符串,例如:
a (); SELECT * FROM accounts; --
When you put this string into your query: 当您将此字符串放入查询中时:
CREATE TABLE $filename (id int PRIMARY KEY, whatever varchar(20) NOT NULL);
You get this resulting SQL query: 您得到以下结果SQL查询:
CREATE TABLE a (); SELECT * FROM accounts; -- (id int PRIMARY KEY, whatever varchar(20) NOT NULL);
As you can see, this will create a table a
without any columns and then select all usernames and passwords, if the table accounts
exists. 如您所见,这将创建一个没有任何列的表
a
,然后选择所有用户名和密码(如果存在表accounts
。 The rest of the query is commented out with --
. 其余查询用
--
注释掉。
This is a very simple SQL injection attack and you don't want to do this! 这是一种非常简单的SQL注入攻击,您不想这样做! Don't put userinput straight up into your SQL queries!!
不要将userinput直接放入您的SQL查询中!!
EDIT : taking the value from $_POST
编辑 :从
$_POST
取值
If your field has the name link
then you can access it with 如果您的字段具有名称
link
则可以使用
$_POST['link']
You can put this into your string this way: 您可以通过以下方式将其放入字符串中:
$sql = "SELECT txt FROM {$_POST['link']} WHERE id = 1";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.