Mysql 防止CakePHP3全文索引匹配中的SQL注入
我需要在CakePHP3中的表上进行全文搜索。我这样做搜索:Mysql 防止CakePHP3全文索引匹配中的SQL注入,mysql,cakephp,full-text-search,sql-injection,cakephp-3.x,Mysql,Cakephp,Full Text Search,Sql Injection,Cakephp 3.x,我需要在CakePHP3中的表上进行全文搜索。我这样做搜索: $ids = $this->I18n->find('list', [ 'valueField' => 'foreign_key', 'conditions' => [ 'field IN' => ['name', 'description_search', 'description_short_search'], 'model' => 'Product
$ids = $this->I18n->find('list', [
'valueField' => 'foreign_key',
'conditions' => [
'field IN' => ['name', 'description_search', 'description_short_search'],
'model' => 'Products',
'locale' => $lang,
'MATCH (content) AGAINST ("'.$filteredValue.'")',
],
])->toArray();
这是可行的,但不安全——这是SQL注入的理想场所。我尝试将其替换为参数(MATCH(content)对(?)=>$filteredValue
),但这会生成一个错误无效的参数编号:混合命名参数和位置参数
我怎样才能防范这种情况
(是的,这与标准的i18n表相匹配。有点像黑客,但与问题无关。)使用绑定
绑定不再是这样工作的,在CakePHP 3.x中,您必须使用Query::bind()
方法(或者在使用自定义语句时使用StatementInterface::bindValue()
)
另见
$ids = $this->I18n
->find('list', [
'valueField' => 'foreign_key',
'conditions' => [
'field IN' => ['name', 'description_search', 'description_short_search'],
'model' => 'Products',
'locale' => $lang,
'MATCH (content) AGAINST (:against)',
],
])
->bind(':against', $filteredValue, 'string')
->toArray();