gpt4 book ai didi

mysql - 使用原始 sql 时的 Laravel SQL 参数绑定(bind)

转载 作者:行者123 更新时间:2023-11-29 17:30:33 25 4
gpt4 key购买 nike

我有以下查询:

$venues = Venue::select(['id', 'name'])
->where('name', 'LIKE', "%{$query}%")
->orderByRaw("CASE " .
"WHEN name like '{$query}%' THEN 0 " . // start with
"WHEN name like '% {$query}%' THEN 1 " . // start of a later word
"ELSE 3 " .
"END"
)
->limit(5)
->get();

问题是上述查询容易受到 SQL 注入(inject)攻击。我该如何解决这个问题?

参数绑定(bind)解释如下:

https://laravel.com/docs/5.6/queries#raw-expressions

但如果我这样做:

$venues = Venue::select(['id', 'name'])
->where('name', 'LIKE', "%{$query}%")
->orderByRaw("CASE " .
"WHEN name like '?%' THEN 0 " . // start with
"WHEN name like '% ?%' THEN 1 " . // start of a later word
"ELSE 3 " .
"END",
[
$query,
$query,
]
)
->limit(5)
->get();

我得到了不同的结果。

最佳答案

尝试将百分比添加到查询参数中,如下所示:

...
->orderByRaw("CASE " .
"WHEN name like ? THEN 0 " . // start with
"WHEN name like ? THEN 1 " . // start of a later word
"ELSE 3 " .
"END",
[
"{$query}%",
"% {$query}%",
]
)
...

关于mysql - 使用原始 sql 时的 Laravel SQL 参数绑定(bind),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50701395/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com