mySQL 当 field=0 时返回所有行
我正在进行一些测试,当我查询表时,令人惊讶的是,查询 SELECT * FROM table WHERE email=0 返回了表中的所有行。
该表没有“0”值,并且填充了常规电子邮件。
为什么会出现这种情况?这可能会导致严重的安全问题。
有没有办法在不修改查询的情况下避免这种情况?
我在这里错过了什么吗?
谢谢。
I was making some tests, and it was a surprise when i was querying a table, and the query SELECT * FROM table WHERE email=0 returned all rows from the table.
This table has no '0' values and it's populated with regular e-mails.
Why this happens? This can lead to serious security problems.
Is there a way to avoid this without modifying the query?
Am i missing something here?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这是因为它将电子邮件字段(我假设是 varchar 字段)转换为整数。任何没有有效整数的字段都将等于 0。您应该确保仅将字符串字段与字符串值进行比较(日期也是如此,与日期进行比较)。查询应如下所示。
This is because it is converting the email field (which I assume is a varchar field) to an integer. Any field without a valid integer will equate to 0. You should make sure that you only compare string fields to string values (same goes for dates, comparing to dates). The query should be as follows.
您的
email列是CHAR或VARCHAR类型。当您使用条件email = 0时,MySQL 会将email列的内容转换为整数,以便将它们与您提供的 0 进行比较。如果您将 0 用引号引起来,则查询将按预期工作。 (email = '0')在 MySQL 中将非数字字符串转换为整数将得到 0。
相反,如果您尝试对数字字符串执行相同的操作,它们可能会正确转换:
Your
emailcolumn is aCHARorVARCHARtype. When you use the conditionemail = 0, MySQL is casting the contents of theemailcolumn to an integer in order to compare them with the 0 you supplied. Had you surrounded your 0 in quotes, the query would work as expected. (email = '0')Converting a non-numeric string to an integer in MySQL will result in 0.
In contrast, if you attempted the same thing with numeric strings, they may cast correctly:
电子邮件字段可能是字符,而您正在匹配数字值。
尝试与,
The email field is probably characters and you are matching numeric values.
Try with,
如果您想获取电子邮件列不应为空或空的所有记录,那么您可以使用
if you want to get all record in which email column should not be blank or empty, then you can use