How to sanitize the query?
Question
I have this SQL Query which I want to sanitize:
SELECT * FROM navigation_$cat ORDER BY parent ASC, prio ASC
The problem is that I can't get the $cat sooner because it's being send via AJAX, and indicates which database needs to be accessed. How can I create a PDO statement that is safer than simply putting a string together?
1 answers
solution1
2 ACCPTED 2017-08-09 18:46:20
You can implement a whitelist, but another option would be to check for valid input using:
SHOW TABLES LIKE :tblname
and 'navigation_'.$cat as the parameter. Check that this returns exactly one table, and that the returned table exactly matches the passed parameter.
Once that's done, you know it's safe to inject into the query, because you've ascertained that it is indeed a valid table name.
That being said, "dynamically selecting from an unknown-in-advance table" is usually a sign that you're designing your database wrong, and you should probably just have one navigation table with a category column inside.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.