如何防止SQL注入,而从数据库中获取数据时从用户输入收到的使用参数:如何防止SQL注入的参数使用CakePHP
if(isset($_GET['cityval']) && $_GET['cityval'] !=''){
$city = $this->request->query('cityval');
$searching .= " and college_city in ($city) ";
} else {
$searching .= "";
}
if(isset($_GET['scholarship']) && $_GET['scholarship'] !=''){
$searching .= " and college_scholarship = '".$_GET['scholarship']."' ";
} else {
$searching .= "";
}
我的主查询低于
$search = $this->Search->query("select * from colleges where college_id!='' and status='active' $searching order by $order desc limit $start, 10 ");
嗨,这将返回一个数组,并且如果(!empty($ city)){PDO作为参数标记的限制,如何将数组放入查询 – user3198563
中。 $ cityList = array_filter(explode(',',$ city),function($ item){ return preg_match('/^\ d + $ /',$ item); }); $ searching。=“and college_city in($ cityList)”; } – user3198563
我刚更新了代码。对不起。我忘了添加implode(),因为我没有运行/测试代码 – wcomnisky