您可以使用PDO在查询的选定部分中放置占位符吗? [英] Can you put placeholders in select part of a query using PDO?

问题描述

我计划使用PDO的prepare()和execute()机制来防止SQL注入攻击.

I plan to use PDO's prepare() and execute() mechanism to prevent SQL injection attack.

通常，SQL中的占位符位于条件部分.

Normally the placeholders in a SQL is in the conditional part.

例如 select name, age from members where age > ? and gender = 'f';

但是，是否可以将占位符放在选择的部分中?

However, is it possible to put placeholders in the select part?

select name, age, ? from members where age > ? and gender = 'f';

我知道我不能在其中放置列名，但是我可以放置常量吗?喜欢

I know I can't put column names there, but can I put constant? like

select name, age, 'foo' from members where age > ? and gender ='f';

谢谢.

推荐答案

不是. PDO无法清除列名或表名.

Nope. PDO can't sanitize column or table names.

如果您确实要使用动态表名，则处理它们的最安全方法是不检查它们是否确实存在于表中，并以正常方式将其插入查询中.

If you really have to use dynamic table names, the safest way to deal with them is no check whether they actually exist in the table, and inserting them into the query the normal way.

伪代码:

$fieldname = make_sure_this_field_really_exists($_GET["fieldname"]);    
$PDO->prepare("select name, age, `$fieldname` from members where age > ? and gender = 'f';" ... );

这篇关于您可以使用PDO在查询的选定部分中放置占位符吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！