我正在尝试编写动态sql查询。查询适用于整数。但是,一旦我试图插入一个字符串就失败了。
下面是我的查询:
public function getList($params['SearchBy'])
{
$select = "
SELECT
u.id, u.firstName,u.lastName,u.city";
$from = "
FROM
user u";
$where = "
WHERE
u.live = 1 ";
if(isset($params['SearchBy']))
{
$where .= 'AND '. implode(' AND ', $params['SearchBy']);
}
$GroupBy = "
GROUP BY
u.id ";
$sql = $select.$from.$where.$GroupBy;
}
对于 searchby(),我会从搜索查询中动态生成这些值;然后我将它们放在一个数组中。:
$this->searchBy[$key][] = $key.' = '. $val;
当整数时,这非常有效。但字符串需要有"" 。我不确定逃避""以便它出现在查询中。 即
$this->searchBy[$topkey][] = $key.' = '. "$val";
我试过这样做但是没有用:
$this->searchBy[$topkey][] = $key.' = '. \"$val\";
会欣赏有关如何逃避它的任何建议。
谢谢。下面是从搜索派生的原始sql查询;
SELECT
u.id,u.picNo,
u.membershipType,
u.firstName,u.lastName
FROM
user u
LEFT OUTER JOIN
table_messages_between_members sm
ON
u.id = sm.senderId
LEFT OUTER JOIN
list_photos_uploaded_by_members ph
ON
u.id = ph.userId
WHERE
u.live = 1 AND u.membershipType = 1 AND u.city = London
GROUP BY
u.id
ORDER BY
答案 0 :(得分:0)
琐碎的解决方案是
$this->searchBy[$topkey][] = $key.' = "'. $val .'"';
这种方法,特别是在允许最终用户写入/输入值的情况下公开可用,可能是一个主要的安全威胁,你应该 escape the input values或使用PDO(甚至更好)。