首先 - 我的代码有效,没有问题,但并不完全安全。 我不知道如何绑定我的查询。我知道一个回合bindParam / bindValue,但我不知道如何在我的情况下使用它们......
我的查询由部分组成,部分取决于AJAX帖子:
if(!empty($_POST['manufacturers']))
$manufacturers = $_POST['manufacturers'];
else
$manufacturers = null;
if(!empty($_POST['processors']))
$processors = $_POST['processors'];
else
$processors = null;
if($manufacturers != null)
$manufacturers = ' AND manufacturer.slug IN('.$manufacturers.')';
if($processors != null)
$processors = ' AND processors.slug IN('.$processors.')';
完整的查询将是:
$query = "bla bla my query";
$query = $query.$processors.$manufacturers;
示例查询是:
SELECT manufacturer.name AS ManufName,
model.model_name AS ModelName,
processors.name ProcName,
laptops.resolution,
inches.name,
graphic_card.name GraphName,
laptops.memory_type,
laptops.memory_size,
laptops.ram,
laptops.price,
laptops.image_path
FROM manufacturer, model, processors, inches, graphic_card, laptops
WHERE manufacturer.id = Laptops.manufacturer_id
AND model.id = Laptops.model_id
AND inches.id = Laptops.inches_id
AND processors.id = Laptops.processor_id
AND graphic_card.id = Laptops.graphic_card_id
AND manufacturer.slug
IN('Dell','Lenovo')
AND processors.slug
IN('Intel_core_i5','Intel_core_i7')
从帖子中我得到了这个案例:'戴尔'联想'其次我得到:
'Intel_core_i5','Intel_core_i7'
根据用户界面的每个复选框更改查询更改...
因此,如果用户只检查来自制造商的checkbo,那么如果查询检查来自制造商和处理器的复选框,查询将不会相同...
我需要阻止这样的事情:
$.post('ajaxCallback.php', {manufacturers: 'sleep(15)'});
如何绑定此查询或如何使其正确安全?
我感谢任何帮助和建议!
非常感谢!