无法使用动态编号创建 MYSQL EXECUTE 命令。用户定义的变量(防止 sql-injectiondatabase-mysql)
Unable to create the MYSQL EXECUTE command by using dynamic no. of user defined variables (prevent sql-injectiondatabase-mysql)
我一直在尝试使用用户定义变量的动态数量来执行 prepare 语句,但我找不到任何示例来解决我的问题。
我有一个 mysql 存储过程,它接受超过 15 个参数。根据输入参数的值,查询的条件得到added/removed to/from 过程。因此,用户定义的变量也应该根据添加到过程中的条件进行更改。那么,有什么方法可以使用用户定义变量的动态编号来执行 proc 吗?
这是我的示例存储过程,
DELIMITER $$
DROP PROCEDURE IF EXISTS `aaa`$$
CREATE PROCEDURE `aaa`(IN param1 VARCHAR(255),IN param2 VARCHAR(255), IN param3 VARCHAR(255)
,IN param4 VARCHAR(255),IN param5 VARCHAR(255),IN param6 VARCHAR(255),
IN param7 VARCHAR(255),IN param8 VARCHAR(255),IN param9 VARCHAR(255),
IN param10 VARCHAR(255)
)
BEGIN
SET @v1 = param1;
SET @v2 = param2;
SET @v3 = param3;
SET @v4 = param4;
SET @v5 = param5;
SET @v6 = param6;
SET @v7 = param7;
SET @v8 = param8;
SET @v9 = param9;
SET @v10 = param10;
BEGIN
SET @QUERY = CONCAT("SELECT * FROM test.customer where name= 'abcd' ");
IF param1 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field1 = ? ");
END IF;
IF param2 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field2 = ? ");
END IF;
IF param3 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field3 = ? ");
END IF;
IF param4 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field4 = ? ");
END IF;
IF param5 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field5 = ? ");
END IF;
IF param6 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field6 = ? ");
END IF;
IF param7 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field8 = ? ");
END IF;
IF param8 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field8 = ? ");
END IF;
IF param9 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field9 = ? ");
END IF;
IF param10 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field10 = ? ");
END IF;
PREPARE stmt FROM @QUERY;
EXECUTE stmt using @v1,@v2,.......; -- varies based on the condition satisfied. can we make this dynamic??
DEALLOCATE PREPARE stmt;
END;
END$$
DELIMITER ;
这是一个解决方案:
SET @QUERY = CONCAT('SELECT * FROM test.customer where name= ''abcd'' ');
IF param1 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY,' AND field1 = ? ');
ELSE
SET @QUERY = CONCAT(@QUERY,' AND ? IS NULL');
END IF;
IF param2 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY,' AND field2 = ? ');
ELSE
SET @QUERY = CONCAT(@QUERY,' AND ? IS NULL');
END IF;
...same for the other params...
PREPARE stmt FROM @QUERY;
EXECUTE stmt using @v1, @v2, @v3, @v4, @v5, @v6, @v7, @v8, @v9, @v10;
DEALLOCATE PREPARE stmt;
此解决方案允许 EXECUTE 接受相同数量的参数。其中一些将针对该列进行测试,否则将使用 IS NULL
进行测试,这将是真实的,因为我们仅在我们已经知道它们为 NULL 时才使用该谓词。
注意我也将 "
更改为 '
。我建议不要将 "
用作字符串分隔符,因为其含义可能会根据您的 SQL_MODE.
而改变
我一直在尝试使用用户定义变量的动态数量来执行 prepare 语句,但我找不到任何示例来解决我的问题。
我有一个 mysql 存储过程,它接受超过 15 个参数。根据输入参数的值,查询的条件得到added/removed to/from 过程。因此,用户定义的变量也应该根据添加到过程中的条件进行更改。那么,有什么方法可以使用用户定义变量的动态编号来执行 proc 吗?
这是我的示例存储过程,
DELIMITER $$
DROP PROCEDURE IF EXISTS `aaa`$$
CREATE PROCEDURE `aaa`(IN param1 VARCHAR(255),IN param2 VARCHAR(255), IN param3 VARCHAR(255)
,IN param4 VARCHAR(255),IN param5 VARCHAR(255),IN param6 VARCHAR(255),
IN param7 VARCHAR(255),IN param8 VARCHAR(255),IN param9 VARCHAR(255),
IN param10 VARCHAR(255)
)
BEGIN
SET @v1 = param1;
SET @v2 = param2;
SET @v3 = param3;
SET @v4 = param4;
SET @v5 = param5;
SET @v6 = param6;
SET @v7 = param7;
SET @v8 = param8;
SET @v9 = param9;
SET @v10 = param10;
BEGIN
SET @QUERY = CONCAT("SELECT * FROM test.customer where name= 'abcd' ");
IF param1 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field1 = ? ");
END IF;
IF param2 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field2 = ? ");
END IF;
IF param3 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field3 = ? ");
END IF;
IF param4 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field4 = ? ");
END IF;
IF param5 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field5 = ? ");
END IF;
IF param6 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field6 = ? ");
END IF;
IF param7 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field8 = ? ");
END IF;
IF param8 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field8 = ? ");
END IF;
IF param9 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field9 = ? ");
END IF;
IF param10 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY," AND field10 = ? ");
END IF;
PREPARE stmt FROM @QUERY;
EXECUTE stmt using @v1,@v2,.......; -- varies based on the condition satisfied. can we make this dynamic??
DEALLOCATE PREPARE stmt;
END;
END$$
DELIMITER ;
这是一个解决方案:
SET @QUERY = CONCAT('SELECT * FROM test.customer where name= ''abcd'' ');
IF param1 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY,' AND field1 = ? ');
ELSE
SET @QUERY = CONCAT(@QUERY,' AND ? IS NULL');
END IF;
IF param2 IS NOT NULL THEN
SET @QUERY = CONCAT(@QUERY,' AND field2 = ? ');
ELSE
SET @QUERY = CONCAT(@QUERY,' AND ? IS NULL');
END IF;
...same for the other params...
PREPARE stmt FROM @QUERY;
EXECUTE stmt using @v1, @v2, @v3, @v4, @v5, @v6, @v7, @v8, @v9, @v10;
DEALLOCATE PREPARE stmt;
此解决方案允许 EXECUTE 接受相同数量的参数。其中一些将针对该列进行测试,否则将使用 IS NULL
进行测试,这将是真实的,因为我们仅在我们已经知道它们为 NULL 时才使用该谓词。
注意我也将 "
更改为 '
。我建议不要将 "
用作字符串分隔符,因为其含义可能会根据您的 SQL_MODE.