使用like和%

eblbsuwk 于 2021-06-19 发布在 Mysql

关注(0)|答案(1)|浏览(303)

我有一个很大的sql查询，我正试图阻止注入。因为查询在变量上使用like和“%”，所以我不知道如何格式化它，也不知道我的常用方法

$sql = "INSERT into UsedBook ( userId, bookId, price, description ) VALUES 
(?,?,?,?)";

if($stmt = mysqli_prepare($conn, $sql)){
    mysqli_stmt_bind_param($stmt, "iiis", $userId, $bookId, $price, 
$description);
mysqli_stmt_execute($stmt);
}

不符合格式。
这是我的大问题。在靠近底部的地方查找带有变量的like语句。

$sql = "SELECT DISTINCT Offering.offeringId, UsedBook.saleId, 
UsedBook.bookId, UsedBook.price,
UsedBook.timeStamp, Book.bookName, Classes.classNumber, Instructor.name,
Classes.departmentName, Offering.section, Users.email, UsedBook.description
FROM UsedBook, Book, Classes, Offering, Instructor, RequiredBook, Users
WHERE UsedBook.bookId = Book.bookId
and Classes.classId = RequiredBook.classId and Book.bookId = 
RequiredBook.bookId
and Classes.classId = Offering.classId and Offering.instructorId = 
Instructor.instructorId
and Offering.semesterId = $semester and UsedBook.userId = Users.userId and 
UsedBook.userId != $userId
and Classes.departmentName like '$departmentName%' and Classes.classNumber 
like '$classNumber%'
and Book.bookName like '$bookName%' and Offering.section like '$section%'";

mysql php phpmyadmin sql-injection

来源：https://stackoverflow.com/questions/52239852/prevent-lnjection-on-large-sql-select-statement-using-like-and

1条答案

按热度按时间

3pvhb19x1#

你仍然可以使用预先准备好的语句，你只需要合并 % 进入绑定参数，例如。

$sql = "SELECT * FROM UsedBook WHERE bookName LIKE ?";
$param = "$bookName%";
if($stmt = mysqli_prepare($conn, $sql)){
    mysqli_stmt_bind_param($stmt, "s", $param);
    mysqli_stmt_execute($stmt);
}

赞(0）回复(0）举报 2021-06-20

我来回答

使用like和%

1条答案

相关问题

热门标签

最新问答