Article From:https://www.cnblogs.com/112358nizhipeng/p/9971062.html

day61

Anti SQL injection

delimiter \\
CREATE PROCEDURE p4 (
       in tpl varchar(255),
       in arg int
)
BEGIN
       set @xo = arg;
       PREPARE xxx FROM 'select * from student where sid > ?';   #Prepare for executionEXECUTE xxx USING @xo;#Will it? replace@xo
       DEALLOCATE prepare xxx; #xxxRandom name END\\
delimiter ;

usingAfter that, it must be a local variable, “@” is a declaration of a local variable.

When called:

call p7(“select * from tb where id > ?”,9);

 

Link of this Article: MySQL (dynamic execution of SQL)

Leave a Reply

Your email address will not be published. Required fields are marked *