"我正在调整我的一些查询以通过使用绑定参数重写SQL来防止SQL注入。这对于简单查询来说非常简单:
e.g。
// Old code
$sql = "SELECT * FROM some_table WHERE id = 4 AND author = 'Bob'";
$this->db->query($sql);
// New Bound SQL query
$sql = "SELECT * FROM some_table WHERE id = ? AND author = ?";
$this->db->query($sql, array(4, 'Bob'));
我无法使用IN运算符进行查询。正如所建议here我尝试了以下内容:
// Old code
$sql = "SELECT * FROM some_table WHERE id = 7 AND author IN ('Bob','Geoff)";
$this->db->query($sql);
// New Bound SQL query
$sql = "SELECT * FROM some_table WHERE id = ? AND author IN ?";
$this->db->query($sql, array(7, array('Bob','Geoff')));
但是此查询失败并显示错误消息:
"您的SQL语法出错了;检查手册 对应于您的MySQL服务器版本,以便使用正确的语法 靠近' Array'在第6行"
似乎查询已更改为:
"SELECT * FROM some_table WHERE id = '5' AND author IN Array"
我真的无法理解我做错了什么。有什么建议吗?
答案 0 :(得分:3)
您可以使用where_in作为
$array = array('Bob', 'Geoff');
$this->db->select('*');
$this->db->where('id', 7);
$this->db->where_in('author', $array);//WHERE author IN ('Bob', 'Geoff')
$this->db->get('some_table');
答案 1 :(得分:0)