Laravel SelectRaw与DB:Raw [英] Laravel SelectRaw vs DB:Raw

问题描述

第一

 DB::table('someTable')
->selectRaw('count(*), min(some_field) as someMin, max(another_field) as someMax')
->get();

第二:

DB::table('someTable')->select(
array(
        DB::raw('min(some_field) as someMin'),
        DB::raw('max(another_field) as someMax'),
        DB::raw('COUNT(*) as `count`')
    )
)->get()

以上两个查询结果相同，但我的问题是 如果我有这两个查询可能的安全问题(SQL注入) 直接在有条件的地方使用用户输入.

The above two query result is same , but my question is there any possible security issues(SQL injections) with these two queries if i use user inputs directly in where conditions.

推荐答案

按照Laravel的文档:

As per Laravel's documentation:

注意:Laravel查询构建器使用PDO参数绑定来保护 您的应用程序免受SQL注入攻击.没有必要 干净的字符串作为绑定传递.

Note: The Laravel query builder uses PDO parameter binding to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

这篇关于Laravel SelectRaw与DB:Raw的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！