如何在不引起SQL注入的情况下使用另一个表的值创建表 [英] How to create a table using values of another table without causing SQL injection

问题描述

我在数据库中有一个表，其中包含Profile_Name和Profile_Tip列.

我的应用程序中有一个文本框，在其中输入表名的文本.我想用此名称在数据库中创建一个表.我想使用Profile_Name值作为新创建表的列名，而不会引起SQL注入.请帮助.我是使用这些语言的新手.预先谢谢您.

I have a table in the database with columns Profile_Name and Profile_Tip.

I have a textbox in my application where I enter the text for the table name. I want to create a table in the database with this name. I want to use Profile_Name values as the column names of the newly created table without causing SQL injection. Kindly help. I am a fresher using the languages. Thank you in advance.

推荐答案

阅读本文:

如果我正确理解了您的问题，您想在CREATE TABLE命令中使用动态表名，并且您担心SQL注入(这当然是一件好事！)，

如果是这样，一种可能性是您依赖命名限制.例如，在文本框中的表名称中不允许使用任何转义字符，分号，引号等.消除所有定界符将有助于防止许多SQL注入.

但是，如果您要创建动态命名的表，那么我认为您可以用另一种方式解决此要求.在不了解实际情况的情况下，我会猜测您可以拥有一个预定义的表，并在表中添加更多列以区分行.

If I understood your question correctly you want to have a dynamic table name in a CREATE TABLE command and you''re worried about SQL injections (which of course is a good thing!),

If that''s the case, one possibility is that you rely on the naming restrictions. For example, you don''t allow any escaped characters, semicolons, quotation marks and so on in the table name in the text box. Eliminating all the delimiter characters would help to prevent many of SQL injections.

However, if you''re about to create dynamically named tables, I feel that you could solve the requirement in another way. Without knowing anything more about the actual situation I would guess that you could have a single, pre-defined table and add more columns to the table to distinguish the rows.

这篇关于如何在不引起SQL注入的情况下使用另一个表的值创建表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！