如果我将传入的参数转换为整数,或者我是否还需要使用查询类,下面的查询是否会被视为“注入安全”?
public function get_chapters_by_course($course_id = NULL)
{
$course_id = (int)$course_id; // is it sanitised yet?
$query = $this->db->query("
SELECT
chapters.id AS id,
chapters.chapter_order AS chapter_order,
chapters.title AS title,
chapters.description AS description,
length(chapters.tutorial) AS tutorial_length,
chapters.course_id AS course_id,
(SELECT count(sentences.id) FROM sentences WHERE sentences.chapter_id = chapters.id) AS total_sentences,
(SELECT user_id FROM courses WHERE id = $course_id ) AS course_owner
FROM chapters
WHERE chapters.course_id = $course_id
");
return $query->result();
}
感谢。