mysql在使用alter table时是否需要真正转义?
[英]Is it necessary to mysql real escape when using alter table?
问题描述
I noticed the other day that I cannot bind variables when using PDO with ALTER TABLE for example the following example will not work,
前几天我注意到在使用 PDO 和 ALTER TABLE 时我无法绑定变量,例如以下示例将不起作用,
$q = $dbc -> prepare("ALTER TABLE emblems ADD ? TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD ? DATETIME NOT NULL");
$q -> execute(array($emblemDB, $emblemDB . 'Date'));
So is it necessary to use mysql_real_escape string and do it like below,那么是否有必要使用 mysql_real_escape 字符串并像下面那样做,
// ESCAPE NAME FOR MYSQL INSERTION
$emblemDB = mysql_real_escape_string($emblemDB);
// INSERT EMBLEM DETAILS INTO DATABASE
$q = $dbc -> prepare("ALTER TABLE emblems ADD " . $emblemDB . " TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD " . $emblemDB . "Date DATETIME NOT NULL");
$q -> execute();
Or do I not need to add in mysql_real_escape_string ?或者我不需要添加mysql_real_escape_string吗? As the only thing the query can do is ADD columns?由于查询唯一能做的就是添加列?
Thanks谢谢
1 个解决方案
解决方案1
1 已采纳 2012-04-05 11:25:47
Depends.要看。 If you directly use user input in your query, you should use it.如果您在查询中直接使用用户输入,则应该使用它。 If you don't, the user could delimit the query and throw a DROP statement after it.如果不这样做,用户可以分隔查询并在其后抛出DROP语句。
When a user would input:当用户输入时:
somekindofname TINYINT(1) UNSIGNED NOT NULL DEFAULT '0'; DROP TABLE emblems --
Your query would become:您的查询将变为:
ALTER TABLE emblems ADD somekindofname TINYINT(1) UNSIGNED NOT NULL DEFAULT '0'; DROP TABLE emblems -- TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD TINYINT(1) UNSIGNED NOT NULL DEFAULT '0' somekindofname; DROP TABLE emblems -- Date DATETIME NOT NULL
Your database will execute the ALTER TABLE , execute the DROP TABLE and ignore the comment at the end.您的数据库将执行ALTER TABLE ,执行DROP TABLE并忽略末尾的注释。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.