Laravel插入查询中的绑定参数 [英] Binding parameters in laravel insert query

问题描述

使用Laravel的查询生成器，我通过以下查询形成了数据库事务:

Using Laravel's query builder, I formed a database transaction with the following queries:

DB::transaction(function($map) {

    DB::connection('network')->table('Maps')
                              ->insert([
                                    'Name' => '?',
                                    'Gametype' => '?',
                                    'Author' => '?',
                                    'Enabled' => '?',
                                    'Public' => '?',
                                    'Required' => '?',
                                    'Image' => '?',
                                    'ReleaseDate' => '?',
                                    'ContactInfo' => '?',
                                ], [
                                    $map['name'], 
                                    $map['game'], 
                                    $map['creator'], 
                                    $map['enabled'], 
                                    $map['public'], 
                                    $map['required'], 
                                    $map['image-url'], 
                                    $map['released'], 
                                    $map['contact'],
                                ]); 

    DB::connection('website')->table('panel_logs')
                             ->insert([

                                    'message' => 'Added a new map to '. $map['game'] .' called '. $map['name'] .'.',
                                    'timestamp' => Carbon::now(),
                                    'tag' => 2,
                                    'username' => Auth::user()->username

                                ]);

});

第一个查询使用查询绑定将数据插入数据库.我有一个名为maps的数组，其中包含用于插入的数据，我想绑定这些值，但是由于将第二个数组视为另一个插入，因此它无法正常工作.在文档中，他们没有提供使用构建器进行查询绑定的示例.仅插入数据而不进行绑定会更好吗?因为我认为Laravel与其构建器一起使用预准备的语句，这是否仍然可以保护我免受SQL注入的侵害.我只是想确保事情不会发生严重错误.

The first query inserts data into a database using query bindings. I have an array called maps containing the data for the insert and I would like to bind on the values however it's not working because it's treating the second array as another insert. In the docs, they didn't provide an example of query binding using the builder. Would it be better just to insert the data without binding? Will this still protect me from SQL injection as I think Laravel uses prepared statements anyway with their builder. I just would like to make sure things don't go horribly wrong.

推荐答案

Connection和查询Builder类上有不同的insert方法.

There are different insert methods on the Connection and query Builder classes.

DB::connection('network') // this is Connection object
   ->table('Maps') // but now it's Query\Builder object

Connection insert将查询字符串作为第一个参数，并将绑定作为第二个参数，而另一个则为您完成工作(无需手动绑定任何内容).

Connection insert takes a query string as 1st param, and bindings as 2nd param, while the other one does the job for you (no need to bind anything manually).

所以您需要做的只是这个:

So what you need to do is simply this:

DB::connection('network')->table('Maps')
  ->insert([
        'Name' => $maps['name'],
        'Gametype' => $maps['game'],
        ...
    ]);

Builder将负责准备语句并绑定其值.

Builder will take care of preparing statement and binding its values.

还需要稍微更改交易部分:

Also you need to change the transaction part a bit:

DB::transaction(function($con) use ($map) {

这篇关于Laravel插入查询中的绑定参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！