What are the pitfalls when performing an erroneous request?

R

Roman Nadtochy2016-03-04 21:04:59

MySQL

Roman Nadtochy, 2016-03-04 21:04:59

There is a certain web service that pulls certain data from the database at the request of the client using dynamic queries (the name of the table from which to pull is a variable like 'table_%' , where % is the table number). The response is an array of query results. Sometimes a client may wish to retrieve data from a table that does not exist. In this case, he needs to give an empty array. Now it's done like this: I check if the table number is integer and just send a query to the database, if it returns an error, I send an empty array to the client. Are there any downsides to this approach?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

I

Ilya Erokhin, 2016-03-04
@AirWorker

> Whether I check integer number of the table
If there is no opportunity precisely to validate the table before request to a DB, it is possible not to validate it in general in any way. Just send a request and wait for an exception with a specific message. The main thing is that there should be normal escaping of all variables in the query, so as not to catch sql injection.

M

mofecuju, 2016-03-04
@mofecuju

Why send a database query if you have already checked the table number?
As I understand it, the number of the table determines whether it really exists or not.

D

Dmitry Kovalsky, 2016-03-05
@dmitryKovalskiy

You can do a check like this:
and if the table is not found - return what you want.
PS If it's not difficult - explain where did you get such a table structure from, that you are not even sure that there is a suitable one. And for naming table_%number I would sentence to a vasectomy. This is unrealistic to support, the purpose of the tables is unknown.