使用 PHP 动态生成 MySQL 创建表脚本
我认为这之前没有发布过 - 因为这是一个非常具体的问题。
我有一个脚本,可以生成一个“创建表”脚本,其中包含自定义数量的列以及自定义类型和名称。
这是一个示例,应该足以让您使用 -
$cols = array();
$count = 1;
$numcols = $_POST['cols'];
while ($numcols > 0) {
$cols[] = mysql_real_escape_string($_POST[$count."_name"])." ".mysql_real_escape_string($_POST[$count."_type"]);
$count ++;
$numcols --;
}
$allcols = null;
$newcounter = $_POST['cols'];
foreach ($cols as $col) {
if ($newcounter > 1)
$allcols = $allcols.$col.",\n";
else
$allcols = $allcols.$col."\n";
$newcounter --;
};
$fullname = $_SESSION['user_id']."_".mysql_real_escape_string($_POST['name']);
$dbname = mysql_real_escape_string($_POST['name']);
$query = "CREATE TABLE ".$fullname." (\n".$allcols." )";
mysql_query($query);
echo create_table($query, $fullname, $dbname, $actualcols);
但由于某种原因,当我运行此查询时,它在 MySQL 中返回语法错误。这可能与换行符有关,但我无法弄清楚。帮助!
I do not think that this has been posted before - as this is a very specific problem.
I have a script that generates a "create table" script with a custom number of columns with custom types and names.
Here is a sample that should give you enough to work from -
$cols = array();
$count = 1;
$numcols = $_POST['cols'];
while ($numcols > 0) {
$cols[] = mysql_real_escape_string($_POST[$count."_name"])." ".mysql_real_escape_string($_POST[$count."_type"]);
$count ++;
$numcols --;
}
$allcols = null;
$newcounter = $_POST['cols'];
foreach ($cols as $col) {
if ($newcounter > 1)
$allcols = $allcols.$col.",\n";
else
$allcols = $allcols.$col."\n";
$newcounter --;
};
$fullname = $_SESSION['user_id']."_".mysql_real_escape_string($_POST['name']);
$dbname = mysql_real_escape_string($_POST['name']);
$query = "CREATE TABLE ".$fullname." (\n".$allcols." )";
mysql_query($query);
echo create_table($query, $fullname, $dbname, $actualcols);
But for some reason, when I run this query, it returns a syntax error in MySQL. This is probably to do with line breaks, but I can't figure it out. HELP!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您有多个 SQL 注入漏洞
mysql_real_escape_string()仅适用于值,不适用于其他任何内容。另外,您使用它是错误的,您需要用单引号引用您的值(又名参数)。
如果你不这样做,
mysql_real_escape_string()将不起作用,并且你会得到语法错误作为奖励。在
CREATE语句中没有参数,因此转义没有意义,也没有任何作用。您需要将列名称列入白名单,因为此代码绝对不执行任何操作来保护您。
编码恐怖
请参阅此问题以获取答案:
如何防止动态表名的 SQL 注入?
切勿在查询中使用
\n使用空格分隔元素。 MySQL 非常乐意接受您的查询作为一个长字符串。
如果要漂亮地打印查询,请使用两个空格代替
\n,并在屏幕上显示查询的代码中用换行符替换双空格。更多 SQL 注入
$SESSION['user_id']不安全,建议您将其转换为整数,然后将其输入查询中。因为您无法根据白名单对其进行检查,并且转义表名是没有意义的。将所有表名和列名用反引号括起来
`对于手写代码来说这不是必需的,但对于自动生成的代码来说这是必需的。
示例:
向大师学习
您可以使用以下 MySQL 查询在 MySQL 中生成表的创建语句:
您的代码需要准确复制此语句的输出。
You have multiple SQL-injection holes
mysql_real_escape_string()only works for values, not for anything else.Also you are using it wrong, you need to quote your values aka parameters in single quotes.
If you don't
mysql_real_escape_string()will not work and you will get syntax errors as a bonus.In a
CREATEstatement there are no parameters, so escaping makes no sense and serves no purpose.You need to whitelist your column names because this code does absolutely nothing to protect you.
Coding horror
see this question for answers:
How to prevent SQL injection with dynamic tablenames?
Never use
\nin a queryUse separate the elements using spaces. MySQL is perfectly happy to accept your query as one long string.
If you want to pretty-print your query, use two spaces in place of
\nand replace a double space by a linebreak in the code that displays the query on the screen.More SQL-injection
$SESSION['user_id']is not secure, you suggest you convert that into an integer and then feed it into the query. Because you cannot check it against a whitelist and escaping tablenames is pointless.Surround all table and column names in backticks
`This is not needed for handwritten code, but for autogenerated code it is essential.
Example:
Learn from the master
You can generate the create statement of a table in MySQL using the following MySQL query:
Your code needs to replicate the output of this statement exactly.