嗨,我有以下声明
function count_rows($table_name, $condition = null, $debug = false)
{
$query_result = $this->query("SELECT count(*) AS count_rows FROM " . $this->db_prefix . $table_name . " " . $condition, $debug);
$count_rows = $this->sql_result($query_result, 0, 'count_rows');
return $count_rows;
}
我一直在使用 firefox 的 sql Inject me 插件,它给了我错误
运行脚本时发生 Mysql 错误:
The query you are trying to run is invalid
Mysql Error Output: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' at line 2
SQL Query: SELECT count(*) AS count_rows FROM database_auctions a WHERE a.active=1 AND a.approved=1 AND a.deleted=0 AND a.list_in!='store' AND a.catfeat='1' AND a.closed=0 AND (a.category_id IN ())
如何清理此查询以防止 SQL 注入(inject)?
最佳答案
看起来当您传递 $contidion
时,您忘记了括号之间的 a.category_id IN ()
应该是值。
为了避免 SQL 注入(inject)检查 this
关于php - 需要帮助来防止sql注入(inject),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14309364/