如何清理查询?
[英]How to sanitize the query?
问题描述
I have this SQL Query which I want to sanitize: 
我有这个SQL查询要清理:
SELECT * FROM navigation_$cat ORDER BY parent ASC, prio ASC
The problem is that I can't get the $cat sooner because it's being send via AJAX, and indicates which database needs to be accessed. 问题是我无法尽快获得$ cat,因为它是通过AJAX发送的,并指出需要访问哪个数据库。 How can I create a PDO statement that is safer than simply putting a string together? 如何创建一个比简单地将字符串放在一起更安全的PDO语句?
1 个解决方案
解决方案1
2 已采纳 2017-08-09 18:46:20
You can implement a whitelist, but another option would be to check for valid input using: 您可以实施白名单,但另一个选择是使用以下方法检查有效输入:
SHOW TABLES LIKE :tblname
and 'navigation_'.$cat as the parameter. 和'navigation_'.$cat作为参数。 Check that this returns exactly one table, and that the returned table exactly matches the passed parameter. 检查这是否恰好返回一个表,并且返回的表与传递的参数完全匹配。
Once that's done, you know it's safe to inject into the query, because you've ascertained that it is indeed a valid table name. 一旦完成,您就知道可以安全地插入查询,因为您已经确定它确实是有效的表名。
That being said, "dynamically selecting from an unknown-in-advance table" is usually a sign that you're designing your database wrong, and you should probably just have one navigation table with a category column inside. 话虽这么说,“从一个未知的提前表中动态选择”通常表明您在设计数据库时出错,并且您可能只应该在其中有一个带有category列的navigation表。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.