mysql查询中int值周围的引号 [英] quotes around int values in mysql queries
问题描述
我习惯于通过我的int函数过滤用户提交的变量,以确保它是一个数字(如果未返回0),并且不在mysql查询中引用该变量.
I've gotten a habit of filtering the user submitted variable through my int function which makes sure it's a number (if not returns 0) and not quoting the variable in mysql queries.
这是不好的做法吗?我认为出于性能方面的考虑,我决定这样做.另外,我一直认为数字不应该用引号引起来.
Is that bad practice? I think I decided to do this for performance reasons. Plus I've always thought that numbers shouldn't be put in quotes.
示例:
if($perpage != $user['perpage']){
if($perpage == 50 || $perpage == 100 || $perpage == 200 ){
$DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]", __FILE__, __LINE__);
}
}
推荐答案
啊哈!一个有趣的例子!
aha! an interesting case here!
-
您总体上是正确的.最好将数字视为数字,而不是字符串
You are right in general. It is always better to treat numbers as numbers, not strings
- 它使您的代码更加理智和一致
- mysql中的
strict_mode
设置,如果启用,则不允许您将数字伪装成字符串.
- it makes your code more sane and consistent
- an
strict_mode
setting in mysql, which won't allow you do disguise a number as a string, if turned on.
但是您的实现实际上允许注入!让我们将其留给您的作业:)
But your implementation in fact allows an injection! Let's leave it for your homework to find it :)
以下是您的参考资料,解释了此注入方法: http://php.net/language .types.type-juggling
Here is a reference for you, explaining this injection: http://php.net/language.types.type-juggling
所以,我要像这样编写您的代码
so, I'd make your code like this
$perpage = intval($perpage);
if($perpage != $user['perpage'] && in_array($perpage,array(50,100,200) {
$DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]");
}
这篇关于mysql查询中int值周围的引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!