mysql查询中int值周围的引号 [英] quotes around int values in mysql queries

问题描述

我习惯于通过我的int函数过滤用户提交的变量，以确保它是一个数字(如果未返回0)，并且不在mysql查询中引用该变量.

I've gotten a habit of filtering the user submitted variable through my int function which makes sure it's a number (if not returns 0) and not quoting the variable in mysql queries.

这是不好的做法吗?我认为出于性能方面的考虑，我决定这样做.另外，我一直认为数字不应该用引号引起来.

Is that bad practice? I think I decided to do this for performance reasons. Plus I've always thought that numbers shouldn't be put in quotes.

示例:

if($perpage != $user['perpage']){
if($perpage == 50 || $perpage == 100 || $perpage == 200 ){
$DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]", __FILE__, __LINE__);
}
}

推荐答案

啊哈！一个有趣的例子！

aha! an interesting case here!

1. 您总体上是正确的.最好将数字视为数字，而不是字符串

1. You are right in general. It is always better to treat numbers as numbers, not strings

• 它使您的代码更加理智和一致
• mysql中的strict_mode设置，如果启用，则不允许您将数字伪装成字符串.

• it makes your code more sane and consistent
• an strict_mode setting in mysql, which won't allow you do disguise a number as a string, if turned on.

但是您的实现实际上允许注入！让我们将其留给您的作业:)

But your implementation in fact allows an injection! Let's leave it for your homework to find it :)

以下是您的参考资料，解释了此注入方法: http://php.net/language .types.type-juggling

Here is a reference for you, explaining this injection: http://php.net/language.types.type-juggling

所以，我要像这样编写您的代码

so, I'd make your code like this

$perpage = intval($perpage);
if($perpage != $user['perpage'] && in_array($perpage,array(50,100,200) { 
  $DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]"); 
} 

这篇关于mysql查询中int值周围的引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！