CFQUERY到queryExecute：如果SQL字符串中

什么是做什么我<cfquery>即使在queryExecuteCFQUERY到queryExecute：如果SQL字符串中

CFQUERY

<cfquery name="qry"> SELECT * FROM tbl_products WHERE filed1 = 1 <cfif structKeyExists(URL, "test")> AND filed2 = 2 </cfif> ORDER BY id DESC </cfquery>

cfexecute

<cfscript> sql = " SELECT * FROM tbl_products WHERE filed1 = 1 ORDER BY id DESC "; if (structKeyExists(URL, "test")){ sql = " SELECT * FROM tbl_products WHERE filed1 = 1 AND filed2 = 2 ORDER BY id DESC "; } qry = queryExecute( sql = sql ); </cfscript>
做的最好的办法

I希望我已经解释清楚自己...

来源

2016-07-27 Ivan

您必须建立SQL字符串。也值得传递参数值，以免受到SQL注入的影响。例如：

<cfscript> 
params = {}; 

sql = " 
    SELECT * FROM tbl_products 
    WHERE filed1 = :filed1 
"; 
params["filed1"] = 1; 

if (structKeyExists(URL, "test")){ 
    sql &= "AND filed2 = :filed2 "; 
    params["filed2"] = 2; 
} 

sql &= "ORDER BY id DESC"; 

queryExecute(sql, params); 
</cfscript>

或者，您可以使用位置参数。

<cfscript> 
params = []; 

sql = " 
    SELECT * FROM tbl_products 
    WHERE filed1 = ? 
"; 
arrayAppend(params, 1); 

if (structKeyExists(URL, "test")){ 
    sql &= "AND filed2 = ? "; 
    arrayAppend(params, 2); 
} 

sql &= "ORDER BY id DESC"; 

queryExecute(sql, params); 
</cfscript>

这是标签比脚本更好的时代之一。

来源

2016-07-27 17:16:24

谢谢。我认为我是这样做的。我希望以某种其他“更清洁”的方式解决某些“诡计”：D – Ivan

CFQUERY到queryExecute：如果SQL字符串中

回答

相关问题