php - 如何使用多个WHERE条件(预准备语句)参数化SQL查询?

时间:2015-09-30 16:43:55

标签: php sql prepared-statement where sql-injection

我在WHERE子句中有多个由用户输入的条件(称为过滤器)。目前我正在以这种方式处理它们(不要担心它没有部署):

//$by_nickname etc. are filters from $_GET

$conditions = array();

if($by_nickname !="")
{
    $conditions[] = " players.lastName LIKE ('%" . $by_nickname . "%')";
}

if($by_steamid !="")
{
    $conditions[] = " ids.uniqueId = '$by_steamid'";
}

if($by_ip !="")
{
    $conditions[] = " players.lastAddress = '$by_ip'";
}

if($by_msg !="")
{
    $conditions[] = " chat.message LIKE ('%" . $by_msg . "%')";
}

if (count($conditions) > 0)
{
    $where = implode(' AND ', $conditions);
    $query = "SELECT ... WHERE " . $where;
}
else
{
    $query = "SELECT ... ";
}

而不是我会使用

$conditions[] = " ids.uniqueId = ?";

等等。现在我也会获得$where,但使用?代替过滤器值。

现在应该准备好查询

$stmt = $mysqli->prepare("SELECT ... WHERE $where");

并参数化了这样的东西

$stmt->bind_param('ss', $by_nickname, $by_steamid);

但是,如果某些过滤器可能为空,我如何参数化查询?简单地说,我事先并不知道bind_param()方法参数。

1 个答案:

答案 0 :(得分:1)

我已经使用具有命名参数的PDO解决了我的问题。所以这是我的解决方案,希望它对某人有帮助。

$by_nickname = $_GET['nickname'];
$by_steamid = $_GET['steamid'];
// integer
$by_serverid = $_GET['serverid'];

$pdo = new PDO("mysql:host=host;port=port;dbname=db;charset=utf8", "user", "password");

$conditions = array();
$parameters = array();
$where = "";

if($by_nickname !="")
{
    $conditions[] = " players.nickname LIKE :nickname";
    $parameters[":nickname"] = "%$by_nickname%";
}

if($by_steamid !="")
{
    $conditions[] = " ids.steamid = :steamid";
    $parameters[":steamid"] = $by_steamid;
}

if($by_serverid !="")
{
    $conditions[] = " servers.serverid = :serverid";
    // Beware of correct parameter type!
    $parameters[":serverid"] = intval($by_serverid);
}

if (count($conditions) > 0)
{
    $where = implode(' AND ', $conditions);
}

// check if $where is empty string or not
$query = "SELECT ... " . ($where != "" ? " WHERE $where" : "");

try
{
    if (empty($parameters))
    {
        $result = $pdo->query($query);
    }
    else
    {
        $statement = $pdo->prepare($query);
        $statement->execute($parameters);
        if (!$statement) throw new Exception("Query execution error.");
        $result = $statement->fetchAll();
    }
}
catch(Exception $ex)
{
    echo $ex->getMessage();
}

foreach($result as $row)
{
  // for example
  echo row["<Column Name>"];
}