php - I try to query a mysql column which has the name "5". This outputs the wrong column which has the name "22" -
i try query mysql column has name "5". outputs wrong column has name "22".
this php code, $pid variable getting android app , number. when search $pid = 5, instead of getting column "5" artist1, getting column "22" eternal1.
basically confuses column name # in first print screen. if # doesn't exist, searches correctly; if search 16 column 16. how fix this?
$pid = $_get["pid"]; $result=mysql_query("select * tablecomments `$pid` not null ");
this design in sql dialects can think of offhand. know several people who, out of habit, add order 0 desc or order 1 ad hoc queries, first pick typically id column , second "name" column or similar. they're querying based on ordinal position of field in query (or schema, in case of *)
in order column named 5, need use appropriate sql quoting mechanism dialect , configuration. example, microsoft sql , access typically use select * tablecomments [5]=5; in postgres , oracle you'd use select * tablecomments "5"=5, , in mysql, quoted identifiers quoted backtick select * tablecomments `5`=5. in microsoft sql can make things more oracle , postgres if session has set quoted_identifier on, in case you'd use quotes instead of square brackets.
as aside, important one, should not take user input , directly embed in sql. if intercept http transmission between android app , php app (trivial proxy charles or fiddler), they'd able replay http request arbitrary sql injected. other commenters have noted, please use parameterized query instead.
since you're trying modify query rather parameters, may need consider whitelisting allowed field names (or compare string you're sent against fields represented in schema).
Comments
Post a Comment