传递FILTER_SANITIZE_STRING [英] pass FILTER_SANITIZE_STRING
问题描述
$ query =select * from news where news_id =(select max(news_id) from news where news_id< $ id);
执行我使用类。 ($ query)
$ b $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ - filter_var($ query,FILTER_SANITIZE_STRING);
$ stmt = $ this-> _prepareQuery();
$ stmt-> execute();
$ results = $ this-> _dynamicBindResults($ stmt);
返回$结果;
$ / code>
是否有任何方法< signal is not filtered?
这是运行查询的完全错误的方式。
FILTER_SANITIZE_STRING 与SQL完全无关。
在构建SQL查询时,必须使用特定于SQL的例程。 首先,您应该请注意查询和数据之间的区别。
尽管查询应该保持不变,但数据必须根据一些规则进行格式化。
你当前执行的查询函数是错误的。
如果是通用函数,要运行所有类型的查询,你必须实现一些占位符在查询中表示您的数据。像这样的函数
$ b $ pre $函数paraQuery
$ $ b $ args = func_get_args();
$ query = array_shift($ args);
$ query = str_replace(%s,'%s',$ query);
$ b foreach($ args as $ key => $ val)
{
$ args [$ key] = $ this-> mysqli-> real_escape_string($ val );
}
$ query = vsprintf($ query,$ args);
$ result = $ this-> mysqli-> query($ query);
if(!$ result)
{
throw new Exception($ this-> mysqli-> error()。[$ query]);
}
return $ result;
$ b $ p
$ b
所以你可以这样运行
$ query =select * from news where news_id =(select news(news_id)from news where news_id<%d);
$ result = $ db-> paraQuery($ query,$ id);
I have a this query:
$query="select * from news where news_id = (select max(news_id) from news where news_id< $id)";
for execute I use class. in this class
public function query($query)
{
$this->_query = filter_var($query, FILTER_SANITIZE_STRING);
$stmt = $this->_prepareQuery();
$stmt->execute();
$results = $this->_dynamicBindResults($stmt);
return $results;
}
Is there any way that < signal is not filtered?
This is utterly wrong way of running queries.
FILTER_SANITIZE_STRING has absolutely nothing to do with SQL.
You have to use SQL-specific routines when building an SQL query.
First of all, you should be aware of the difference between query and data.
While query should remain intact, data have to be formated according to some rules.
your current implementation of query function is wrong.
if it's general purpose function, to run all types of query, you have to implement some placeholders to represent your data in the query. A function like this
function paraQuery()
{
$args = func_get_args();
$query = array_shift($args);
$query = str_replace("%s","'%s'",$query);
foreach ($args as $key => $val)
{
$args[$key] = $this->mysqli->real_escape_string($val);
}
$query = vsprintf($query, $args);
$result = $this->mysqli->query($query);
if (!$result)
{
throw new Exception($this->mysqli->error()." [$query]");
}
return $result;
}
so, you'll be able to run it this way
$query = "select * from news where news_id = (select max(news_id) from news where news_id<%d)";
$result = $db->paraQuery($query, $id);
这篇关于传递FILTER_SANITIZE_STRING的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
