Fatal编程技术网
  • php/
  • Php 在MySQL中选择多个表会阻止我使用<;=表达

Php 在MySQL中选择多个表会阻止我使用<;=表达

php mysql

Php 在MySQL中选择多个表会阻止我使用<;=表达,php,mysql,pdo,Php,Mysql,Pdo,我正在使用一个SELECT查询,如下所示: SELECT knowledge.*, sortflagitems.* FROM knowledge, sortflagitems WHERE sortflagitems.flagid = :FlagID AND knowledge.id = sortflagitems.kid AND sortflagitems.cid = :CID AND knowledge.

我正在使用一个
SELECT
查询,如下所示:

SELECT knowledge.*, 
       sortflagitems.* 
FROM   knowledge, 
       sortflagitems 
WHERE  sortflagitems.flagid = :FlagID 
       AND knowledge.id = sortflagitems.kid 
       AND sortflagitems.cid = :CID 
       AND knowledge.archived = :Nothing 
       AND sortflagitems.flagdate <= :Now 
ORDER  BY sortflagitems.sortorder
但是,如果我将
选择
查询更改为:


SELECT knowledge.*, 
       sortflagitems.* 
FROM   knowledge, 
       sortflagitems 
WHERE  sortflagitems.flagid = :FlagID 
       AND knowledge.id = sortflagitems.kid 
       AND sortflagitems.cid = :CID 
       AND knowledge.archived = :Nothing 
       AND sortflagitems.flagdate = :Now 
ORDER  BY sortflagitems.sortorder 


这不会产生任何错误


请注意,此行
SortFlagItems.FlagDate=:现在已从
SortFlagItems.FlagDate更改为


function rquery($query, $params = NULL) {
    $this->_query = $query;
    $stmt = $this->_prepareQuery();
    $stmt->execute($params);

    $results = $this->_dynamicBindResults($stmt);

    return $results;
}


绑定将阻止sql注入。

如果必须,您可以对
\u dynamicBindResults
中的参数使用
filter\u var()

也可以在传递查询之前对每个参数使用它:


$DBParams = array('FlagID'=>filter_var($_GET['flag'], FILTER_SANITIZE_STRING),...);


对于连接,这里是一个显式连接:


SELECT Knowledge.*, SortFlagItems.*
FROM Knowledge
INNER JOIN SortFlagItems ON Knowledge.id = SortFlagItems.KID
WHERE SortFlagItems.FlagID=:FlagID
AND SortFlagItems.CID=:CID
AND Knowledge.Archived=:Nothing
AND SortFlagItems.FlagDate<=:Now
ORDER BY SortFlagItems.SortOrder



选择知识。*,SortFlagItems*
从知识
Knowledge.id=SortFlagItems.KID上的内部联接SortFlagItems
其中SortFlagItems.FlagID=:FlagID
和SortFlagItems.CID=:CID
和知识。存档=:什么都没有

和SortFlagItems.FlagDatePlease,停止使用隐式连接语法。我认为这是一个php问题,请尝试显示php部分。您没有绑定所有参数我不确定为什么会出现错误,但如果要使用当前日期/时间,可以尝试将“:Now”更改为“Now()”。rquery做什么?它是绑定参数的包装器吗?问题很可能是过滤变量正在“消毒”

public function __construct($host, $username, $password, $db) {
    $this->_mysql = new PDO("mysql:host=$host;dbname=$db", $username, $password);
    $this->_mysql->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}



function rquery($query, $params = NULL) {
    $this->_query = $query;
    $stmt = $this->_prepareQuery();
    $stmt->execute($params);

    $results = $this->_dynamicBindResults($stmt);

    return $results;
}



$DBParams = array('FlagID'=>filter_var($_GET['flag'], FILTER_SANITIZE_STRING),...);



SELECT Knowledge.*, SortFlagItems.*
FROM Knowledge
INNER JOIN SortFlagItems ON Knowledge.id = SortFlagItems.KID
WHERE SortFlagItems.FlagID=:FlagID
AND SortFlagItems.CID=:CID
AND Knowledge.Archived=:Nothing
AND SortFlagItems.FlagDate<=:Now
ORDER BY SortFlagItems.SortOrder