如何检查包含字符串的列？

currently I've been using this:

目前我一直在用这个:

SELECT * FROM `meow` WHERE profile LIKE '%$username%'

But the problem I'm facing is if someone puts the letters 'a' it will pull everything that contains a and that's a bit of a security risk on my end, How do i search just 1 column to see if it matches $username exactly? not the whole table?

但我面临的问题是,如果有人把字母'a',它会拉出包含a的所有东西,这对我来说有点安全风险,我如何只搜索1列,看它是否与$ username完全匹配?不是整张桌子?

4 个解决方案

#1

For exact string matching you should the = operator instead of the like operator:

对于精确的字符串匹配,你应该使用=运算符而不是like运算符:

SELECT * FROM `meow` WHERE profile = '$username'

#2

Stop using string concatenation to build your query. It's evil. Instead use mysqli or pdo and use prepared statements.

停止使用字符串连接来构建查询。这是邪恶的。而是使用mysqli或pdo并使用预准备语句。

$pdo = new PDO('mysql:host=localhost;dbname=yourdb', 'your_username', 'your_password');

$stmt = $pdo->prepare("SELECT * FROM `meow` WHERE profile = ?");
$stmt->execute(array($username));

$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

Also, use equality, instead of like, if you wish to check for exact matches.

此外,如果您想检查完全匹配,请使用相等而不是相似。

#3

Instead of using like use equal to

而不是使用相似的使用

try this :

试试这个 :

 SELECT * FROM meow WHERE profile = '$username'

#4

Try with -

尝试 -

"SELECT * FROM `meow` WHERE profile LIKE '$username'"

for exact match.

完全匹配。

#1