Typo3 类型3扩展:函数fullQuoteArray()存在问题
我正在读取扩展名文件,请参见以下代码:Typo3 类型3扩展:函数fullQuoteArray()存在问题,typo3,Typo3,我正在读取扩展名文件,请参见以下代码: $GLOBALS['TYPO3_DB']->exec_UPDATEquery( 'tx_jcjob_job', 'uid = '.$this->piVars['job'], array('hit_counter' => 'hit_counter + 1'), array('hit_counter') ); 然后在文件:clas
$GLOBALS['TYPO3_DB']->exec_UPDATEquery(
'tx_jcjob_job',
'uid = '.$this->piVars['job'],
array('hit_counter' => 'hit_counter + 1'),
array('hit_counter')
);
然后在文件:class.t3lib\u db.php
中,我检查了两个函数function exec\u UPDATEqueryfile()
:
和函数fullquotaray()
:
但我仍然有一个问题:
这是如何工作的:
数组('hit_counter')
?或者换句话说,函数fullquotaray()
是如何工作的?这意味着什么:fullquote一维数组中的所有值
?在每个数组值上使用函数real\u escape\u string(从6.x开始)或mysql\u real\u escape(在6.x之前)。因此,每个值都应该是SQL注入保存的
里面没有魔法:)
* @param string Database tablename
* @param string WHERE clause, eg. "uid=1". NOTICE: You must escape values in this argument with $this->fullQuoteStr() yourself!
* @param array Field values as key=>value pairs. Values will be escaped internally. Typically you would fill an array like "$updateFields" with 'fieldname'=>'value' and pass it to this function as argument.
* @param string/array See fullQuoteArray()
* @return pointer MySQL result pointer / DBAL object
*/
function exec_UPDATEquery($table, $where, $fields_values, $no_quote_fields = FALSE)
/**
* Will fullquote all values in the one-dimensional array so they are ready to "implode" for an sql query.
*
* @param array Array with values (either associative or non-associative array)
* @param string Table name for which to quote
* @param string/array List/array of keys NOT to quote (eg. SQL functions) - ONLY for associative arrays
* @return array The input array with the values quoted
* @see cleanIntArray()
*/
function fullQuoteArray($arr, $table, $noQuote = FALSE)