我正在使用Doctrine DataBase抽象层(DBAL)来执行一些查询。出于某种原因,当我在将参数传递给查询之前引用参数时,我没有返回任何行。当我不加引号地通过它时,它可以正常工作。
以下是我正在使用的相关代码片段:
public function get($game)
{
load::helper('doctrinehelper');
$conn = doctrinehelper::getconnection();
$statement = $conn->prepare('SELECT games.id as id, games.name as name, games.link_url, games.link_text, services.name as service_name, image_url
FROM games, services
WHERE games.name = ?
AND services.key = games.service_key');
$quotedGame = $conn->quote($game);
load::helper('loghelper');
$logger = loghelper::getLogger();
$logger->debug("Quoted Game: $quotedGame");
$logger->debug("Unquoted Game: $game");
$statement->execute(array($quotedGame));
$resultsArray = $statement->fetchAll();
$logger->debug("Number of rows returned: " . count($resultsArray));
return $resultsArray;
}
以下是日志显示的内容:
01/01/11 17:00:13,269 [2112] DEBUG root - Quoted Game: 'Diablo II Lord of Destruction'
01/01/11 17:00:13,269 [2112] DEBUG root - Unquoted Game: Diablo II Lord of Destruction
01/01/11 17:00:13,270 [2112] DEBUG root - Number of rows returned: 0
如果我更改此行:
$statement->execute(array($quotedGame));
到此:
$statement->execute(array($game));
我在日志中得到了这个:
01/01/11 16:51:42,934 [2112] DEBUG root - Quoted Game: 'Diablo II Lord of Destruction'
01/01/11 16:51:42,935 [2112] DEBUG root - Unquoted Game: Diablo II Lord of Destruction
01/01/11 16:51:42,936 [2112] DEBUG root - Number of rows returned: 1
我有点胖吗?
答案 0 :(得分:0)
实际上,这是一个建筑事物(IMO)。学说基于PHP's PDO。 PDO与Prepared Statements一起使用,因此无需引用,使用mysql_real_escapestring或其他任何内容。 ORM作为基础设计目标在其核心和PDO中,它确实相当安全。