“我通过使用绑定参数重写它们来适应我的一些查询,以防止sql注入.对于简单的查询,这很简单:
例如
// Old code
$sql = "SELECT * FROM some_table WHERE id = 4 AND author = 'Bob'";
$this->db->query($sql);
// New Bound sql query
$sql = "SELECT * FROM some_table WHERE id = ? AND author = ?";
$this->db->query($sql, array(4, 'Bob'));
我在使用IN运算符进行查询时遇到麻烦.如建议的here,我尝试了以下方法:
// Old code
$sql = "SELECT * FROM some_table WHERE id = 7 AND author IN ('Bob','Geoff)";
$this->db->query($sql);
// New Bound sql query
$sql = "SELECT * FROM some_table WHERE id = ? AND author IN ?";
$this->db->query($sql, array(7, array('Bob','Geoff')));
“You have an error in your sql Syntax; check the manual that
corresponds to your MysqL server version for the right Syntax to use
near ‘Array’ at line 6”
看来查询已更改为:
"SELECT * FROM some_table WHERE id = '5' AND author IN Array"
我真的看不到我在做什么错.有什么建议么?
解决方法:
您可以使用where_in作为
$array = array('Bob', 'Geoff');
$this->db->select('*');
$this->db->where('id', 7);
$this->db->where_in('author', $array);//WHERE author IN ('Bob', 'Geoff')
$this->db->get('some_table');
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。