Zend 安全 SQL 查询?
我想知道这样的东西在 Zend 中是否安全:
$db = Zend_Registry::get('db');
$query = "SELECT * FROM tags t JOIN posts_tags pt ON pt.tag_id = t.tag_id where pt.post_id = " . $postid;
$select = $db->query();
我没有检查 $postid 的内容是否在这里。
当您进行如下查询时,Zend 会自动执行此操作:
$db = Zend_Registry::get('db');
$select = $db->select();
$select->from(array('p' => 'posts'))
->join(array('u' => 'users'), 'u.user_id = p.post_userid')
->where('p.post_id = ?', $postid);
但我不喜欢这种工作方式,仅编写查询对我来说要快得多。那么我应该手动转义还是这是为我完成的?最简单的方法是什么?
I was wondering if something like this, is safe in Zend:
$db = Zend_Registry::get('db');
$query = "SELECT * FROM tags t JOIN posts_tags pt ON pt.tag_id = t.tag_id where pt.post_id = " . $postid;
$select = $db->query();
I'm not checking the content of $postid is here.
Zend does this automatically when you make queries like this:
$db = Zend_Registry::get('db');
$select = $db->select();
$select->from(array('p' => 'posts'))
->join(array('u' => 'users'), 'u.user_id = p.post_userid')
->where('p.post_id = ?', $postid);
But I don't like this way of working, just writing queries is much faster for me. So should I be manually escaping or is this done for me? And what are the easiest ways to do this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您不想使用 Zend_Db_Select 您可以执行以下操作:
其中第二个参数是要放入占位符中的值数组。请参阅:http://framework.zend.com/manual/en/zend .db.statement.html
If you don't want to use Zend_Db_Select you can do:
Where the 2nd param is an array of values to be dropped into the placeholders. See: http://framework.zend.com/manual/en/zend.db.statement.html
Zend 无法转义您的变量,因为它永远看不到它。您的变量被附加到一个字符串中,并且 $db->query 方法可以查看整个字符串。
我认为 query() 方法无论如何都不会进行任何清理。
Zend cannot be escaping your variable because it never sees it. Your variable is being appended to a string, and the $db->query method gets to see the string as a whole.
I don't think that the query() method does any sanitization anyway.