您好我有下面的语句需要帮助防止SQL注入
function count_rows($table_name, $condition = null, $debug = false)
{
$query_result = $this->query("SELECT count(*) AS count_rows FROM " . $this->db_prefix . $table_name . " " . $condition, $debug);
$count_rows = $this->sql_result($query_result, 0, 'count_rows');
return $count_rows;
}
我一直在使用SQL注入我插件的Firefox,它给我的错误,同时运行发生
一个MySQL错误脚本:
The query you are trying to run is invalid
Mysql Error Output: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' at line 2
SQL Query: SELECT count(*) AS count_rows FROM database_auctions a WHERE a.active=1 AND a.approved=1 AND a.deleted=0 AND a.list_in!='store' AND a.catfeat='1' AND a.closed=0 AND (a.category_id IN())
如何清理此查询针对sql注入?
清理无效查询吗?我不明白。 – 2013-01-13 23:20:05
嗨,大家好,让我解释一下,我使用插件sql注入了我并在发布字段'OR用户名IS NOT NULL或用户名='后得到了错误,它通常不是无效的查询并且工作正常 – user1973125