欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  后端开发

php的mysql_prepare不能使用表明一类级作为参数

程序员文章站 2022-05-16 12:08:43
...
No, a parameterised query doesn't just drop the parameter values in to the query string, it supplies the RDBMS with the parameterised query and the parameters separately. But such a query can't have a table name or field name as a parameter. The only way to do that is to dynamically code the table name into the query string, just as you have already done. If this string is potentially open to attack you should validate it first; such as against a white list list of allowable table