【问题标题】:ZF2 sanitize variables for DB queriesZF2 清理数据库查询的变量
【发布时间】:2013-03-07 14:55:45
【问题描述】:

在 Zend Framework 2 中进行数据库查询时,我应该如何清理用户提交的值?比如下面SQL中的$id

$this->tableGateway->adapter->query(
  "UPDATE comments SET spam_votes = spam_votes + 1 WHERE comment_id = '$id'",
  \Zend\Db\Adapter\Adapter::QUERY_MODE_EXECUTE
);

【问题讨论】:

    标签: mysql zend-framework2 input-sanitization


    【解决方案1】:

    执行的时候可以传参数..

     $statement = $this->getAdapter()->query("Select * from test WHERE id = ?");
     $result = $statement->execute(array(99));
    
     $resultSet = new ResultSet;
     $resultSet->initialize($result);
    

    也可以直接传递给查询方法

     $statement = $this->getAdapter()->query(
        "Select * from test WHERE id = ?", 
        array(99)
     );
     $result = $statement->execute();
    
     $resultSet = new ResultSet;
     $resultSet->initialize($result);
    

    两者都会产生查询“Select * from test WHERE id = '99'”

    如果你想使用命名参数:

    $statement = $this->getAdapter()->query("Select * from test WHERE id = :id");
    $result = $statement->execute(array(
        ':id' => 99
    ));
    
    $resultSet = new ResultSet;
    $resultSet->initialize($result);
    

    如果您想引用您的表/字段名称等:

    $tablename = $adapter->platform->quoteIdentifier('tablename');
    
    $statement = $this->getAdapter()->query("Select * from {$tablename} WHERE id = :id");
    $result = $statement->execute(array(
        ':id' => 99
    ));
    

    【讨论】:

    • 太棒了,谢谢!我希望这不是傻,但是该数组也可以参数化吗? "Select * from test WHERE id = :id"array(':id' => 99)?
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2013-12-24
    • 1970-01-01
    • 2019-04-22
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多