我正在阅读扩展文件,并参见以下代码:
$GLOBALS['TYPO3_DB']->exec_UPDATEquery(
'tx_jcjob_job',
'uid = '.$this->piVars['job'],
array('hit_counter' => 'hit_counter + 1'),
array('hit_counter')
);
然后在文件:class.t3lib_db.php中,我检查了两个函数function exec_UPDATEqueryfile():
* @param string Database tablename
* @param string WHERE clause, eg. "uid=1". NOTICE: You must escape values in this argument with $this->fullQuoteStr() yourself!
* @param array Field values as key=>value pairs. Values will be escaped internally. Typically you would fill an array like "$updateFields" with 'fieldname'=>'value' and pass it to this function as argument.
* @param string/array See fullQuoteArray()
* @return pointer MySQL result pointer / DBAL object
*/
function exec_UPDATEquery($table, $where, $fields_values, $no_quote_fields = FALSE)
和function fullQuoteArray():
/**
* Will fullquote all values in the one-dimensional array so they are ready to "implode" for an sql query.
*
* @param array Array with values (either associative or non-associative array)
* @param string Table name for which to quote
* @param string/array List/array of keys NOT to quote (eg. SQL functions) - ONLY for associative arrays
* @return array The input array with the values quoted
* @see cleanIntArray()
*/
function fullQuoteArray($arr, $table, $noQuote = FALSE)
但我仍然有疑问:
这是如何运作的:array('hit_counter')?或换句话说,function fullQuoteArray()如何运作?这是什么意思:fullquote all values in the one-dimensional array?
答案 0 :(得分:0)
在每个数组值上使用函数real_escape_string(自6.x开始)或mysql_real_escape(在6.x之前)。因此,每个值都应该是SQL注入保存。
里面没有魔法:)