The condition field and table field name in SQL are the same, resulting in full table query

Hello everyone, I am a newbie. In practice, I found that sentences similar to the following:

<code>SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ;
</code>

$sid is the value passed from the front end, seller_item_classify is the indication, and sid is a field name in the table;
If the value passed by $sid happens to be 'sid', the SQL where will be invalid, causing Full table query;

Because in a production environment, the value of $sid may be a numerical value or char; should I filter the front-end input value in PHP?

What do you think of this issue?

Reply content:

Hello everyone, I am a newbie. In practice, I found that sentences similar to the following:

<code>SELECT * FROM seller_item_classify where sid=$sid order by cweight asc ;
</code>

$sid is the value passed from the front end, seller_item_classify is the indication, and sid is a field name in the table;
If the value passed by $sid happens to be 'sid', the SQL where will be invalid, causing Full table query;

Because in a production environment, the value of $sid may be a numerical value or char; should I filter the front-end input value in PHP?

What do you think of this issue?

<code>"SELECT * FROM seller_item_classify where sid='$sid' order by cweight asc ;"</code>

For front-end input values, the back-end must be filtered, and it is recommended to use sql preprocessing.

Add '' to all SQL condition values

<code>sid = '$sid'</code>

as alias Does it work?

Add single quotes and it will be solved

'SELECT * FROM seller_item_classify where sid='.$sid.' order by cweight asc ;'
Use pdo preprocessing

<code><?php
$sid = issset($_REQUEST['sid']) ?  htmlspecialchars(trim($_REQUEST['sid'])) : '';
if (!$sid or $sid=='sid') {
    // 非法请求 这里可以抛出一些异常
}</code>