[英]Is it necessary to mysql real escape when using alter table?
I noticed the other day that I cannot bind variables when using PDO with ALTER TABLE for example the following example will not work,前几天我注意到在使用 PDO 和 ALTER TABLE 时我无法绑定变量,例如以下示例将不起作用,
$q = $dbc -> prepare("ALTER TABLE emblems ADD ? TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD ? DATETIME NOT NULL");
$q -> execute(array($emblemDB, $emblemDB . 'Date'));
So is it necessary to use mysql_real_escape string and do it like below,那么是否有必要使用 mysql_real_escape 字符串并像下面那样做,
// ESCAPE NAME FOR MYSQL INSERTION
$emblemDB = mysql_real_escape_string($emblemDB);
// INSERT EMBLEM DETAILS INTO DATABASE
$q = $dbc -> prepare("ALTER TABLE emblems ADD " . $emblemDB . " TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD " . $emblemDB . "Date DATETIME NOT NULL");
$q -> execute();
Or do I not need to add in mysql_real_escape_string
?或者我不需要添加
mysql_real_escape_string
吗? As the only thing the query can do is ADD columns?由于查询唯一能做的就是添加列?
Thanks谢谢
Depends.要看。 If you directly use user input in your query, you should use it.
如果您在查询中直接使用用户输入,则应该使用它。 If you don't, the user could delimit the query and throw a
DROP
statement after it.如果不这样做,用户可以分隔查询并在其后抛出
DROP
语句。
When a user would input:当用户输入时:
somekindofname TINYINT(1) UNSIGNED NOT NULL DEFAULT '0'; DROP TABLE emblems --
Your query would become:您的查询将变为:
ALTER TABLE emblems ADD somekindofname TINYINT(1) UNSIGNED NOT NULL DEFAULT '0'; DROP TABLE emblems -- TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD TINYINT(1) UNSIGNED NOT NULL DEFAULT '0' somekindofname; DROP TABLE emblems -- Date DATETIME NOT NULL
Your database will execute the ALTER TABLE
, execute the DROP TABLE
and ignore the comment at the end.您的数据库将执行
ALTER TABLE
,执行DROP TABLE
并忽略末尾的注释。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.