Php 在WHERE方法(Codeigniter)中使用SQL语句防止SQL注入
这段代码可以防止sql注入吗Php 在WHERE方法(Codeigniter)中使用SQL语句防止SQL注入,php,codeigniter,codeigniter-3,Php,Codeigniter,Codeigniter 3,这段代码可以防止sql注入吗 $where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')"; $this->db->where($where); $result = $this->db->get('fruits'); 基于Codeigniter文档,正如它所说 $this->db->where()接受可选的第三
$where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
$this->db->where($where);
$result = $this->db->get('fruits');
基于Codeigniter文档,正如它所说
$this->db->where()接受可选的第三个参数。如果你设定它
若为FALSE,CodeIgniter不会试图保护您的字段或表
名字
将前面的语句更改为此是否正确
$where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
$this->db->where($where, NULL, TRUE);
$result = $this->db->get('fruits');
我有点迷路了,还是应该用这个
$array = array('color' => $color,
'flavor' => $flavor,
'quality' => $quality,
'price' => $price);
$where = "(color = ? AND flavor = ?) OR (quality = ? AND price = ?)";
$this->db->where($where, $array, TRUE);
$result = $this->db->get('fruits');
你必须用最后一个。无法在其他查询中检测到要“保护”的内容。很抱歉,我使用了这个方法$this->db->query();相反,因为它有一个整洁/干净的声明,易于阅读。
$array = array('color' => $color,
'flavor' => $flavor,
'quality' => $quality,
'price' => $price);
$where = "(color = ? AND flavor = ?) OR (quality = ? AND price = ?)";
$this->db->where($where, $array, TRUE);
$result = $this->db->get('fruits');