Sql注入和和updateall cakephp问题 [英] Sql injection and and updateall cakephp issue

问题描述

当我使用此查询时，在cakephp中遇到问题

Hi im running into a problem in cakephp when i use this query

$this->Rh->CompetencesUser->updateAll(array(
    'CompetencesUser.niveau' => "'$value[1]'",
    'CompetencesUser.expertise' => $value[2],
    'CompetencesUser.rh_id' => $this->Rh->getLastInsertId()
), array(
    'CompetencesUser.user_id' => $this->request->params['pass'][0],
    'CompetencesUser.competence_id' => $value[3]
));

它可以工作，但是当我在字段 $ value [1] 它显示一个错误，所以我可以转义这个字符或我可以使用另一种方法，因为 $ value [1] don不需要添加这些引号。
提前感谢

it works but when i give some characters like ' in the field $value[1] it shows an error, so how i can escape this character or can i use another method, because the $value[1] don't work without adding those quotes. Thanks in advance

推荐答案

如 docs 字面值应使用DboSource ::值（）。

As stated in the docs "Literal values should be quoted manually using DboSource::value()."

例如： -

$db = $this->Rh->CompetencesUser->getDataSource();
$this->Rh->CompetencesUser->updateAll(
    ['CompetencesUser.niveau' => $db->value($value[1], 'string')],
    [ // Some conditions ]
);

在大多数情况下， updateAll（）保存数据的方法的正确选择和 save（）将是更好的选择。查看使用CakePHP 2的updateAll（）方法谨慎！

In most cases updateAll() is not the right choice of method for saving data and save() would be better suited. Take a look at Use CakePHP 2's updateAll() Method with Caution!

这篇关于Sql注入和和updateall cakephp问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！