Php 在WHERE方法（Codeigniter）中使用SQL语句防止SQL注入_Php_Codeigniter_Codeigniter 3

Php 在WHERE方法（Codeigniter）中使用SQL语句防止SQL注入

php codeigniter

Php 在WHERE方法（Codeigniter）中使用SQL语句防止SQL注入,php,codeigniter,codeigniter-3,Php,Codeigniter,Codeigniter 3,这段代码可以防止sql注入吗 $where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')"; $this->db->where($where); $result = $this->db->get('fruits'); 基于Codeigniter文档，正如它所说 $this->db->where（）接受可选的第三

这段代码可以防止sql注入吗

    $where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
    $this->db->where($where);
    $result = $this->db->get('fruits');

基于Codeigniter文档，正如它所说

$this->db->where（）接受可选的第三个参数。如果你设定它若为FALSE，CodeIgniter不会试图保护您的字段或表名字

将前面的语句更改为此是否正确

    $where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
    $this->db->where($where, NULL, TRUE);
    $result = $this->db->get('fruits');

我有点迷路了，还是应该用这个

    $array = array('color' => $color,
                   'flavor' => $flavor,
                   'quality' => $quality,
                   'price' => $price);
    $where = "(color = ? AND flavor = ?) OR (quality = ? AND price = ?)";
    $this->db->where($where, $array, TRUE);
    $result = $this->db->get('fruits');

你必须用最后一个。无法在其他查询中检测到要“保护”的内容。

很抱歉，我使用了这个方法$this->db->query（）；相反，因为它有一个整洁/干净的声明，易于阅读。

    $array = array('color' => $color,
                   'flavor' => $flavor,
                   'quality' => $quality,
                   'price' => $price);
    $where = "(color = ? AND flavor = ?) OR (quality = ? AND price = ?)";
    $this->db->where($where, $array, TRUE);
    $result = $this->db->get('fruits');