这段代码可以防止sql注入吗?
$where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
$this->db->where($where);
$result = $this->db->get('fruits');
它是基于Codeigniter文档的。
这里$
->db->where()接受第三个可选参数。如果将其设置为FALSE,CodeIgniter将不会尝试保护您的字段或表名。
$this->db->where('MATCH (field) AGAINST ("value")', NULL, FALSE);
将前面的语句更改为this是正确的吗?
$where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
$this->db->where($where, NULL, TRUE);
$result = $this->db->get('fruits');
我有点迷路了,或者我应该用这个。
$array = array('color' => $color,
'flavor' => $flavor,
'quality' => $quality,
'price' => $price);
$where = "(color = ? AND flavor = ?) OR (quality = ? AND price = ?)";
$this->db->where($where, $array, TRUE);
$result = $this->db->get('fruits');
发布于 2018-09-07 08:26:31
您必须使用最后一个。不可能在其他查询中检测到要“保护”内容。
https://stackoverflow.com/questions/52195953
复制相似问题