stackoom
  简体   繁体   中英

Selecting SQL table column with Jquery - SQL injection?

 原文  2015-01-20 01:41:18       php/ jquery/ mysql/ ajax

Question

I'm looking for a bit of advice on which method is more secure and efficent to use.

OPTION A: I have a database named calendar, and 12 tables in it - "January", "February" etc. Each month has it's own .php page with "select * from jan" etc. I have a dropdown menu, which when the user selects for example "January" I have an ajax script that then loads jan.php into the div "currentmonth"

What I was thinking of doing, because along with the "currentmonth" div, I've also got a "recentlyadded" div showing the last 3 entries sorted by their timestamp. I'm not sure how I could show the 3 most recently added entries in the whole database, so I tried option B.

OPTION B: I have one table called calendar, and each row has a column called month. This made it more simple for display the recently added, but I'm not sure how to go about implementing the dropdown menu. From what I've read the idea I have can leave me open to sql injection.

Here's the idea: I have a jquery variable called "selectedmonth" which is equal to the value of the selected month. I then want to take that variable... for example, user selects "January" the value is "jan", and I want the sql statement to then update with SELECT * FROM calendar WHERE months = "jan", but as I said, I hear this can leave me wide open to SQL injection.

Is there anyway to dynamically update the SQL statement, maybe with AJAX or JSON? Is there a way to do OPTION B without leaving myself open to SQL injection? Or is there an easier way for me to use OPTION A, and be able to find the 3 most recent added rows in the entire database?

The one thing I'm wondering though is with option A, I would obviously have 12 "month".php files, will that add a lot to page load times?

Any advice would be greatly appreciated.

1 answers

solution1
 0  2015-01-20 01:42:49

Use prepared statements and you should be fine. The second option is preferable, the first is not a good idea...

All you have to do is something like: 

$row = $conn->prepare("SELECT * FROM calendar WHERE months = ?");
$row->bind_param('s', $_GET['month']);
$row->execute();
$row = $row->get_result();

And you'll be SQL injection-free. Read more here.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SQL login injection, selecting the second row SQL injection when client is only selecting SQL: selecting different values from one column in db's table How to delete a table with SQL injection null column in protection from sql injection Possible SQL injection dropping a table with stored procedure? PHP - Add new column with placeholder MS SQL preventing SQL Injection SQL Table column to array SELECTing two random rows in an SQL table where the values of a column come very close How to hide a column in sql generated table? (php+jquery)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM