In MySQL queries, how important is it to put backticks around a table name. Does it have something to do with security? Are MySQL injection attacks possible through the table name if the table name is created dynamically in PHP based on user inputs?
在MySQL查询中,在表名周围添加反引号是多么重要。它与安全性有关吗?如果根据用户输入在PHP中动态创建表名,是否可以通过表名进行MySQL注入攻击?
3 个解决方案
#1
15
The backticks help you from accidentally using a name that is a reserved word in SQL for example. Take a table named "where", it's a stupid name for a table I agree, but if you wrap it in backticks it will work fine.
反引号可以帮助您意外地使用SQL中的保留字名称。拿一个名为“where”的表,这是我同意的表的愚蠢名称,但是如果你用反引号包装它会很好。
#2
10
In MySQL queries, how important is it to put backticks around a table name. Does it have something to do with security?
在MySQL查询中,在表名周围添加反引号是多么重要。它与安全性有关吗?
As far as backticks are concerned, I use them when there is name conflict between mysql-specifcs names and those from query.
就反引号而言,当mysql-specifcs名称与查询名称之间存在名称冲突时,我会使用它们。
Are MySQL injection attacks possible through the table name if the table name is created dynamically in PHP based on user inputs?
如果根据用户输入在PHP中动态创建表名,是否可以通过表名进行MySQL注入攻击?
When ever there is a user input, you need to make sure that you filter and validate the input coming from the user. So yes there is security risk to it.
当有用户输入时,您需要确保过滤并验证来自用户的输入。所以是的,存在安全风险。
I would recommend you to use intval for numbers and mysql_real_escape_string function for any variables that you may use in your queries.
我建议你使用intval作为数字,使用mysql_real_escape_string函数来处理你可能在查询中使用的任何变量。
#3
3
If you have a table name with the same name as a keyword, e.g. select, the following query will still work:
如果您的表名与关键字同名,例如选择,以下查询仍然有效:
select * from `select`;
#1
15
The backticks help you from accidentally using a name that is a reserved word in SQL for example. Take a table named "where", it's a stupid name for a table I agree, but if you wrap it in backticks it will work fine.
反引号可以帮助您意外地使用SQL中的保留字名称。拿一个名为“where”的表,这是我同意的表的愚蠢名称,但是如果你用反引号包装它会很好。
#2
10
In MySQL queries, how important is it to put backticks around a table name. Does it have something to do with security?
在MySQL查询中,在表名周围添加反引号是多么重要。它与安全性有关吗?
As far as backticks are concerned, I use them when there is name conflict between mysql-specifcs names and those from query.
就反引号而言,当mysql-specifcs名称与查询名称之间存在名称冲突时,我会使用它们。
Are MySQL injection attacks possible through the table name if the table name is created dynamically in PHP based on user inputs?
如果根据用户输入在PHP中动态创建表名,是否可以通过表名进行MySQL注入攻击?
When ever there is a user input, you need to make sure that you filter and validate the input coming from the user. So yes there is security risk to it.
当有用户输入时,您需要确保过滤并验证来自用户的输入。所以是的,存在安全风险。
I would recommend you to use intval for numbers and mysql_real_escape_string function for any variables that you may use in your queries.
我建议你使用intval作为数字,使用mysql_real_escape_string函数来处理你可能在查询中使用的任何变量。
#3
3
If you have a table name with the same name as a keyword, e.g. select, the following query will still work:
如果您的表名与关键字同名,例如选择,以下查询仍然有效:
select * from `select`;