我正在用一个查询生成器构建一个动态应用程序,该查询生成器由四个选择列表组成,用户可以在其中输入表,列,运算符和属性名称。现在我也希望用户能够选择ALL。所以用户应该只能选择表格和列名(= ALL)。但我不知道如何过滤掉where子句。这是目前我的PHP脚本:如何过滤查询生成器中的where子句?
<?php
include "connect.php";
$table = $_GET['tableSelected'];
$field = $_GET['fieldSelected'];
$attribute = $_GET['attributeSelected'];
$operator = $_GET['operatorSelected'];
$tableList = $_GET['tableList'];
$fieldList = $_GET['fieldList'];
$attributeList = $_GET['attributeList'];
$fieldstr = $fieldList . ",ST_AsGeoJSON(ST_Transform(l.geom,4326))";
$sql = "SELECT $fieldstr
FROM $table l
WHERE $field $operator '{$attribute}'";
if (!$response = pg_query($conn, $sql)) {
echo "A query error occured.\n";
exit;
}
while ($row = pg_fetch_row($response)) {
foreach ($row as $i => $attr){
echo $attr.", ";
}
echo ";";
}
?>
动态构建查询字符串,只在3个必填字段不为空时添加'WHERE'条件。顺便说一句,您应该用占位符替换值,并使用数据库名,表名和列名白名单来避免sql注入/中断查询。 – jeroen
是的,这是主意。但是,如何做@ @ jeroen? –