Php 在MySQL中选择多个表会阻止我使用<;=表达
我正在使用一个Php 在MySQL中选择多个表会阻止我使用<;=表达,php,mysql,pdo,Php,Mysql,Pdo,我正在使用一个SELECT查询,如下所示: SELECT knowledge.*, sortflagitems.* FROM knowledge, sortflagitems WHERE sortflagitems.flagid = :FlagID AND knowledge.id = sortflagitems.kid AND sortflagitems.cid = :CID AND knowledge.
SELECT
查询,如下所示:
SELECT knowledge.*,
sortflagitems.*
FROM knowledge,
sortflagitems
WHERE sortflagitems.flagid = :FlagID
AND knowledge.id = sortflagitems.kid
AND sortflagitems.cid = :CID
AND knowledge.archived = :Nothing
AND sortflagitems.flagdate <= :Now
ORDER BY sortflagitems.sortorder
但是,如果我将选择查询更改为:
SELECT knowledge.*,
sortflagitems.*
FROM knowledge,
sortflagitems
WHERE sortflagitems.flagid = :FlagID
AND knowledge.id = sortflagitems.kid
AND sortflagitems.cid = :CID
AND knowledge.archived = :Nothing
AND sortflagitems.flagdate = :Now
ORDER BY sortflagitems.sortorder
这不会产生任何错误
请注意,此行SortFlagItems.FlagDate=:现在已从SortFlagItems.FlagDate更改为
function rquery($query, $params = NULL) {
$this->_query = $query;
$stmt = $this->_prepareQuery();
$stmt->execute($params);
$results = $this->_dynamicBindResults($stmt);
return $results;
}
绑定将阻止sql注入。
如果必须,您可以对\u dynamicBindResults
中的参数使用filter\u var()
也可以在传递查询之前对每个参数使用它:
$DBParams = array('FlagID'=>filter_var($_GET['flag'], FILTER_SANITIZE_STRING),...);
对于连接,这里是一个显式连接:
SELECT Knowledge.*, SortFlagItems.*
FROM Knowledge
INNER JOIN SortFlagItems ON Knowledge.id = SortFlagItems.KID
WHERE SortFlagItems.FlagID=:FlagID
AND SortFlagItems.CID=:CID
AND Knowledge.Archived=:Nothing
AND SortFlagItems.FlagDate<=:Now
ORDER BY SortFlagItems.SortOrder
选择知识。*,SortFlagItems*
从知识
Knowledge.id=SortFlagItems.KID上的内部联接SortFlagItems
其中SortFlagItems.FlagID=:FlagID
和SortFlagItems.CID=:CID
和知识。存档=:什么都没有
和SortFlagItems.FlagDatePlease,停止使用隐式连接语法。我认为这是一个php问题,请尝试显示php部分。您没有绑定所有参数我不确定为什么会出现错误,但如果要使用当前日期/时间,可以尝试将“:Now”更改为“Now()”。rquery做什么?它是绑定参数的包装器吗?问题很可能是过滤变量正在“消毒”
public function __construct($host, $username, $password, $db) {
$this->_mysql = new PDO("mysql:host=$host;dbname=$db", $username, $password);
$this->_mysql->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
function rquery($query, $params = NULL) {
$this->_query = $query;
$stmt = $this->_prepareQuery();
$stmt->execute($params);
$results = $this->_dynamicBindResults($stmt);
return $results;
}
$DBParams = array('FlagID'=>filter_var($_GET['flag'], FILTER_SANITIZE_STRING),...);
SELECT Knowledge.*, SortFlagItems.*
FROM Knowledge
INNER JOIN SortFlagItems ON Knowledge.id = SortFlagItems.KID
WHERE SortFlagItems.FlagID=:FlagID
AND SortFlagItems.CID=:CID
AND Knowledge.Archived=:Nothing
AND SortFlagItems.FlagDate<=:Now
ORDER BY SortFlagItems.SortOrder