问题描述

PHP变量可以用作SQL查询中的表名吗?在我的情况下，FROM后面的PHP变量应该是我的JQuery代码发送的值.我希望根据从JQuery发送的值来更改SQL查询(不同的值取决于选择的选择框的选项).

Can a PHP variable be used as a table name in an SQL query? In my case the PHP variable that goes after FROM should be the value being sent from my JQuery code. I want the SQL query to change based on the value sent from JQuery (different value depending on which option of the select box is chosen).

$file_absolute = ---Placeholder for correct file path---;
include_once($file_absolute);
$mysql = new mysqli($db_host, $db_username, $db_password, $db_name);
$verb_value = $_POST['verb_value'];

$mysql->query("SET CHARACTER SET 'utf8'");

$result = $mysql->query("SELECT present_tense FROM $verb_value");

推荐答案

可以，是的.是否想要是另一回事-如果要将用户输入添加到SQL查询中，则会有一个巨大的SQL注入孔.

You can do this, yes. Whether you want it is quite another matter - if you're adding user input to your SQL queries, you've got a huge SQL injection hole.

也就是说，使用表名，您可以实现白名单，并将传递的值与表中的值进行比较，以衡量安全性.

That said, with table names, you can implement a whitelist, and compare the passed values against that to get a measure of security.

但是，您不能将表名(或列名)作为绑定参数传递-它们需要在查询中生成.

You can't pass table names (or column names) as bound parameters, though - they need to be generated as part of the query.

这篇关于PHP变量作为SQL查询中的表名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！