如何在Yii框架中使用mysql_escape_string()? [英] How to use mysql_escape_string() in Yii framework?
问题描述
众所周知,我们无法在诸如Yii之类的框架中使用原始MySQL查询.我想在运行于Yii框架中的项目中使用mysql_escape_string
来避免用户输入中的SQL注入.
As we all know, we cannot use raw MySQL queries in frameworks such as Yii. I want to use mysql_escape_string
in my project which runs in Yii framework to get away from SQL injection in user input.
我知道mysql_escape_string
在PHP 5.5中已弃用,并且我有PDO替代方法. Yii框架中的替代方法是什么?还有mysql_escape_string()的PDO方法是什么?
I am aware that mysql_escape_string
is deprecated in PHP 5.5 and that I have a PDO alternative. What is the alternative in Yii framework and also the PDO way of mysql_escape_string()?
推荐答案
PDO中mysql_escape_string
的替代方法是使用准备好的语句.以Yii为例:
The alternative to mysql_escape_string
in PDO is using prepared statements. In Yii for example:
$user = Yii::app()->db->createCommand()
->select('username, password')
->from('tbl_user')
->where('id=:id', array(':id'=>$_GET['userId']))
->queryRow();
(从Yii参考文档 http://www.yiiframework.com/doc/api/1.1/CDbCommand )
当您在准备好的语句中通过占位符传递参数时,可以防止SQL注入.
You are secured you against SQL injection when you pass parameters through placeholders in a prepared statement.
这篇关于如何在Yii框架中使用mysql_escape_string()?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!