php - Variable in "SELECT $var FROM... ", is this safe or open to sql injection? -


i've been learning prepared statements , binding parameters... had hoped able this:

select ? table id=?

however, found can't use bound parameter call table or columns searching here. , understand reason behind why after searching here.

that leaves me question. safe use variable this:

$fields = "col1, col2, col3";   select $fields table id=?

i ask, because have large statement, , it's nice able make statement short , use $fields contains long string. use select all, except i'm storing , binding results (not sure if it's necessary actually... haven't tried use $stmt->get_result() yet, upgraded php able use yesterday).

i have general idea of how sql injection works, , reading i've been doing seems idea of prepared , parametrized statement prevents sql injection having sql not run whole statement, breaks apart put simply...

yet when put $fields variable, opening sql injection have variable directly in statement? $fields hard coded, not coming source other code (not user, not database). don't know extent sql injections can potentially attack, why i'm asking here. can deal long statement, me understand proper way make more secure.

thank you.

$fields hardcoded, not coming source

this means not have worry injections @ all. if using in other place of statement.

you should of course carefull not make "public" later on!


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more