我有几个问题都与同一个问题有关。我正在尝试将一些MySQL连接/命令更新到PDO以减轻SQL注入。我正在尝试转换此代码:
$ulog = $_POST['driver'];
$_SESSION['user_id'] = $ulog;
$tablename_cc = "cc_".$ulog;
$tablename_db = "db_".$ulog;
$tablename_misc = "misc_".$ulog;
$tablename_cash = "cash_".$ulog;
$sql_cc = "SELECT * FROM " .$tablename_cc;
$sql_db = "SELECT * FROM " .$tablename_db;
$sql_misc = "SELECT * FROM " .$tablename_misc;
$sql_cash = "SELECT * FROM " .$tablename_cash;
$result_cc = mysql_query($sql_cc);
$result_db = mysql_query($sql_db);
$result_misc = mysql_query($sql_misc);
$result_cash = mysql_query($sql_cash);
以下代码:
$tables = array($tablename_cc, $tablename_db, $tablename_misc, $tablename_cash);
$A = count($tables);
$result = array();
try {
$STH = $DBH->prepare('SELECT * FROM :table');
$i = 0;
while($i < $A) {
$STH->bindParam(':table', $tables[$i]);
$STH->execute();
$result[$i] = $STH->fetchAll();
$i++;
}
}
catch(PDOException $e) {
echo $e->getMessage();
}
但是,我一直收到语法错误。如果我以下面的方式尝试它,错误消失了,但这种方式对我来说不是很有用,因为它不会避免SQL注入。
try {
$i = 0;
while($i < $A) {
$STH = $DBH->query('SELECT * FROM ' .$tables[$i]);
$result[$i] = $STH->fetchAll();
$i++;
}
}
catch(PDOException $e) {
echo $e->getMessage();
}
尽管最后一种方法有效,但根据我的理解,它无助于减轻SQL注入。我遇到的第二个问题是,有时这些表格不存在,而我在旧方法中解决这些问题的方法是做一个小小的检查:
$result_cc = mysql_query($sql_cc);
if(mysql_num_rows($result_cc) != 0){}
然而,这个中间步骤似乎在PDO中消失了,所以我仍然需要弄清楚如何检查这个。