如何在Joomla 3的查询中使用Prepare语句/绑定值? [英] How to use prepare statements / bind values in a query in Joomla 3?

问题描述

我想知道如何在where子句中绑定值.我已经了解到，出于安全原因，必须这样做.

I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
    ->select("*")
    ->from($db->quoteName("food"))
    ->where("taste = :taste")
    ->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();

我收到此错误:

您的SQL语法有错误；检查手册 对应于您的MySQL服务器版本以使用正确的语法 在第3行的':taste'附近SQL = SELECT * FROM food在哪里品味=:taste

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':taste' at line 3 SQL=SELECT * FROM food WHERE taste = :taste

我的代码基于这篇文章.它说在Joomla 3.1中，只有" PDO/Sqlite和PDO/Oracle支持预备语句"，我正在使用Joomla 3.2.1和MySQL，并在我的Joomla配置MySQLi中使用.可能是问题所在吗?

My code is based on this post. It said that in Joomla 3.1 only "PDO/Sqlite and PDO/Oracle are supporting prepared statements", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?

我很困惑，因为我不知道必须遵循什么API/类.

I am quite confused because I dont know what API / Class have to follow.

• 用于Joomla 3.x的JDatabase 没有绑定方法，并且信息很少，似乎还没有完成.
• 用于Joomla 2.5的JDatabase 具有更多信息，但显然是不是我的版本.没有绑定方法.
• Joomla 3.x的JDatabaseQuery 没有绑定方法
• 用于Joomla 3.x的JDatabaseQuerySqlite 已绑定方法
• Joomla 3.x的JDatabaseQueryPdo 没有绑定方法
• 用于Joomla 3.x的JTable 已绑定方法

• JDatabase for Joomla 3.x there is no bind method, and the information is scant, seems like is not completed.
• JDatabase for Joomla 2.5 has more information, but obviously is not my version. there is no bind method.
• JDatabaseQuery for Joomla 3.x there is no bind method
• JDatabaseQuerySqlite for Joomla 3.x has bind method
• JDatabaseQueryPdo for Joomla 3.x there is no bind method
• JTable for Joomla 3.x has bind method

即使我开始怀疑是否必须使用JFactory :: getDbo()在Joomla DB中选择/插入/更新/删除数据.

Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.

谢谢.

推荐答案

据我所知，您不能使用准备好的语句或将值与Joomla绑定.

As far as I know, you can't use prepared statements nor bind values with Joomla.

如果您从Joomla文档( http://docs.joomla.org/(Secure_coding_guidelines#Constructing_SQL_queries )，他们只讨论使用强制转换或引用来避免SQL注入.

If you read the Secure Coding Guideliness from the Joomla documentation (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.

这篇关于如何在Joomla 3的查询中使用Prepare语句/绑定值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！