如何在 Joomla 3 的查询中使用准备语句/绑定值? [英] How to use prepare statements / bind values in a query in Joomla 3?

问题描述

我想知道如何在 where 子句中绑定值.我知道出于安全原因必须这样做.

I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
    ->select("*")
    ->from($db->quoteName("food"))
    ->where("taste = :taste")
    ->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();

我收到此错误:

您的 SQL 语法有错误；检查手册对应于您的 MySQL 服务器版本以使用正确的语法靠近第 3 行的 ':taste' SQL=SELECT * FROM food WHEREtaste = :taste

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':taste' at line 3 SQL=SELECT * FROM food WHERE taste = :taste

我的代码基于这篇文章.它说在 Joomla 3.1 中只有PDO/Sqlite 和 PDO/Oracle 支持准备好的语句"，我使用的是 Joomla 3.2.1 和 MySQL，在我的 Joomla 配置 MySQLi.可能是这个问题吗?

My code is based on this post. It said that in Joomla 3.1 only "PDO/Sqlite and PDO/Oracle are supporting prepared statements", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?

我很困惑，因为我不知道必须遵循什么 API/Class.

I am quite confused because I dont know what API / Class have to follow.

• JDatabase for Joomla 3.x 有没有绑定方法，而且资料很少，好像没有完成.
• JDatabase for Joomla 2.5 有更多信息，但显然是不是我的版本.没有绑定方法.
• JDatabaseQuery for Joomla 3.x 没有绑定方法
• JDatabaseQuerySqlite for Joomla 3.x 有 绑定方法
• JDatabaseQueryPdo for Joomla 3.x 没有绑定方法
• Joomla 3.x 的 JTable 有 绑定方法

• JDatabase for Joomla 3.x there is no bind method, and the information is scant, seems like is not completed.
• JDatabase for Joomla 2.5 has more information, but obviously is not my version. there is no bind method.
• JDatabaseQuery for Joomla 3.x there is no bind method
• JDatabaseQuerySqlite for Joomla 3.x has bind method
• JDatabaseQueryPdo for Joomla 3.x there is no bind method
• JTable for Joomla 3.x has bind method

我什至开始怀疑是否必须使用 JFactory::getDbo() 在 Joomla DB 中选择/插入/更新/删除数据.

Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.

提前致谢.

推荐答案

据我所知，您不能使用准备好的语句，也不能使用 Joomla 绑定值.

As far as I know, you can't use prepared statements nor bind values with Joomla.

如果您从 Joomla 文档 (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries)，他们不讨论准备好的语句，只讨论使用强制转换或引用来避免 SQL 注入.

If you read the Secure Coding Guideliness from the Joomla documentation (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.

这篇关于如何在 Joomla 3 的查询中使用准备语句/绑定值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！