我收到一个字符串参数,我想使用havingRaw:
我收到的字符串:
$searchString = Input::get('q');//example:party beach
我在不同的问题中发现我应该使用它来防止sql注入:
$searchStringEsc = DB::connection()->getPdo()->quote($searchString);
我遇到的问题是,当我使用havingRaw插入我的查询时,因为我的字符串现在被转义为`party beach`它返回null,但是当我插入未转义字符串时,它工作正常。
->havingRaw('search rlike replace("'.$searchStringEsc.'", " ", "|")')
还有另一种逃避原始参数的方法吗?谢谢
EDIT-- 完整查询(我正在进行搜索查询,用户可以在其中输入城市名称,企业名称,标记到企业的任何标签等)
$results = DB::table('events')
->leftJoin('event_tag', 'events.id', '=', 'event_tag.event_id')
->join('tags', 'tags.id', '=', 'event_tag.tag_id')
->join('establishments', 'establishments.id', '=', 'events.establishment_id')
->join('cities', 'establishments.city_id', '=', 'cities.id')
->leftJoin('artist_event', 'events.id', '=', 'artist_event.event_id')
->join('artists', 'artist_event.artist_id', '=', 'artists.id')
->leftJoin('event_music', 'events.id', '=', 'event_music.event_id')
->join('musics', 'musics.id', '=', 'event_music.music_id')
->select('events.id as evId', 'events.slug as evSlug', 'events.name as evName',
'events.cover_path as estPath','establishments.establishment_type_id as estType',
'establishments.name as estName', 'events.start_date as evStart', 'events.end_date as evEnd',
'cities.name as ciName',
DB::raw('CONCAT_WS(",",
GROUP_CONCAT(distinct tags.name),
GROUP_CONCAT(distinct artists.name),
GROUP_CONCAT(distinct cities.name),
GROUP_CONCAT(distinct events.name),
GROUP_CONCAT(distinct musics.name)
) as search'))
->where('events.end_date','>=', DB::raw('NOW()'))
->where('establishments.is_active','=',1)
->groupBy('events.id')
->havingRaw('search rlike replace("'.$searchString.'", " ", "|")')
->orderBy('events.total_visited', 'desc')
->take(5)->get();
如果我将它保留为$ searchString(未缩放的字符串),它可以正常工作。 如果我将其更改为$ searchStringEsc(转义字符串),则返回null
答案 0 :(得分:2)
您可以简单地使用查询绑定,因此请替换
GreetingTicket与
->havingRaw('search rlike replace("'.$searchString.'", " ", "|")')
处理所有逃避需求(->havingRaw('search rlike replace(?, " ", "|")', [$searchString])
也可以这样做)。 whereRaw只意味着你有一个绑定参数(即?)。