更新时间:2023-02-05 22:41:48
当然可以.
如果in_var
等于' UNION SELECT password from admins --
怎么办?
为避免这种情况,您不应使用 cargo cult 预处理语句,而应使用真实的语句,用占位符代替变量.
To avoid that, you should use not a cargo cult prepared statement but a real one, substituting your variable with a placeholder.
SET @query = CONCAT("SELECT * FROM my_table WHERE my_column = ? LIMIT 1;");
PREPARE stmt FROM @query;
EXECUTE stmt USING @in_var;