Home > Article > Backend Development > The condition field and table field name in SQL are the same, resulting in full table query
The condition field and table field name in SQL are the same, resulting in full table query
- WBOYOriginal
- 2016-08-18 09:15:291418browse
Hello everyone, I am a newbie. In practice, I found that sentences similar to the following:
<code>SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ; </code>
$sid is the value passed from the front end, seller_item_classify is the indication, and sid is a field name in the table;
If the value passed by $sid happens to be 'sid', the SQL where will be invalid, causing Full table query;
Because in a production environment, the value of $sid may be a numerical value or char; should I filter the front-end input value in PHP?
What do you think of this issue?
Reply content:
Hello everyone, I am a newbie. In practice, I found that sentences similar to the following:
<code>SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ; </code>
$sid is the value passed from the front end, seller_item_classify is the indication, and sid is a field name in the table;
If the value passed by $sid happens to be 'sid', the SQL where will be invalid, causing Full table query;
Because in a production environment, the value of $sid may be a numerical value or char; should I filter the front-end input value in PHP?
What do you think of this issue?
<code>"SELECT * FROM seller_item_classify where sid='$sid' order by cweight asc ;"</code>
For front-end input values, the back-end must be filtered, and it is recommended to use sql preprocessing.
Add '' to all SQL condition values
<code>sid = '$sid'</code>
as alias Does it work?
Add single quotes and it will be solved
'SELECT * FROM seller_item_classify where sid='.$sid.' order by cweight asc ;'
Use pdo preprocessing
<code><?php
$sid = issset($_REQUEST['sid']) ? htmlspecialchars(trim($_REQUEST['sid'])) : '';
if (!$sid or $sid=='sid') {
// 非法请求 这里可以抛出一些异常
}</code>