The front end passes an array of parameters [mobile phone number, column name to be modified, value of column name to be modified]. How to write this SQL?

[problem description]: when the front end uses Vue.js, to modify user information, some modules have common components;
when the user enters a module (figure 2), click the Save button to update the database;

clipboard.png

clipboard.png

the backend uses the same SQL (update table name set column name = new value where mobile = a user)
but this [column name, new value, user] are all parameters passed by the front end.
the personal SQL is written as: UPDATE user SET? =? WHERE mobile=?
but asked a colleague, and he said there was a risk of injection
[question]: so how do I write this SQL??

Mar.23,2021

non-backend, to put it simply, tap wrong:

handwritten SQL, should pay attention to Filter sensitive fields and prevent SQL injection and preventive measures ;

what I really want to say is: TMD, is not a back-end job? (funny)


do you mean that the backend prevents injection when writing update tables? That is, try not to use concatenated mysql statements to query, if you want, also do a regular judgment, this according to your needs to write.
it is best to use the ORM framework to manipulate the database.

Menu