如何在Joomla 3的查询中使用Prepare语句/绑定值? [英] How to use prepare statements / bind values in a query in Joomla 3?
问题描述
我想知道如何在where子句中绑定值.我已经了解到,出于安全原因,必须这样做.
I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
->select("*")
->from($db->quoteName("food"))
->where("taste = :taste")
->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();
我收到此错误:
您的SQL语法有错误;检查手册 对应于您的MySQL服务器版本以使用正确的语法 在第3行的':taste'附近SQL = SELECT * FROM
food
在哪里品味=:taste
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':taste' at line 3 SQL=SELECT * FROM
food
WHERE taste = :taste
我的代码基于这篇文章.它说在Joomla 3.1中,只有" PDO/Sqlite和PDO/Oracle支持预备语句",我正在使用Joomla 3.2.1和MySQL,并在我的Joomla配置MySQLi中使用.可能是问题所在吗?
My code is based on this post. It said that in Joomla 3.1 only "PDO/Sqlite and PDO/Oracle are supporting prepared statements", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?
我很困惑,因为我不知道必须遵循什么API/类.
I am quite confused because I dont know what API / Class have to follow.
- 用于Joomla 3.x的JDatabase 没有绑定方法,并且信息很少,似乎还没有完成.
- 用于Joomla 2.5的JDatabase 具有更多信息,但显然是不是我的版本.没有绑定方法.
- Joomla 3.x的JDatabaseQuery 没有绑定方法
- 用于Joomla 3.x的JDatabaseQuerySqlite 已绑定方法
- Joomla 3.x的JDatabaseQueryPdo 没有绑定方法
- 用于Joomla 3.x的JTable 已绑定方法
- JDatabase for Joomla 3.x there is no bind method, and the information is scant, seems like is not completed.
- JDatabase for Joomla 2.5 has more information, but obviously is not my version. there is no bind method.
- JDatabaseQuery for Joomla 3.x there is no bind method
- JDatabaseQuerySqlite for Joomla 3.x has bind method
- JDatabaseQueryPdo for Joomla 3.x there is no bind method
- JTable for Joomla 3.x has bind method
即使我开始怀疑是否必须使用JFactory :: getDbo()在Joomla DB中选择/插入/更新/删除数据.
Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.
谢谢.
推荐答案
据我所知,您不能使用准备好的语句或将值与Joomla绑定.
As far as I know, you can't use prepared statements nor bind values with Joomla.
如果您从Joomla文档( http://docs.joomla.org/(Secure_coding_guidelines#Constructing_SQL_queries ),他们只讨论使用强制转换或引用来避免SQL注入.
If you read the Secure Coding Guideliness from the Joomla documentation (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.
这篇关于如何在Joomla 3的查询中使用Prepare语句/绑定值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!