[英]Using slashes in the where clause while comparing values in active record codeigniter
I have the following query 我有以下查询
$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber=".$this->put('invoiceNumber');
Here $this->put('invoiceNumber');
这里
$this->put('invoiceNumber');
always have values like "M\\34\\SD". 始终具有“ M \\ 34 \\ SD”之类的值。 Due to slashes in values it doesn't work as expected.
由于值的斜线无法正常工作。
I researched and found the mysql_escape_string can be used for this purpose but its deprecated now as per the manual. 我研究后发现mysql_escape_string可用于此目的,但现在已按照手册弃用了它。 So whats my best bet here?
那么,我最好的选择是什么?
Why not use Codeingiter Active Record instead? 为什么不改用Codeingiter Active Record? An example:
一个例子:
$this->db->where('invoiceNumber', $this->put('invoiceNumber'));
$this->db->delete('salesinvoiceitems');
Taken from Codeigniter documentation: 取自Codeigniter文档:
Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter.
除了简单之外,使用Active Record功能的主要好处是它允许您创建独立于数据库的应用程序,因为查询语法是由每个数据库适配器生成的。 It also allows for safer queries, since the values are escaped automatically by the system.
它还允许更安全的查询,因为这些值会由系统自动转义。
There's a method in the activerecord called escape
, so you should : 活动记录中有一个方法称为
escape
,所以您应该:
$invoice = $this->db->escape($yourVar);
$query = "DELETE FROM salesinvoiceitems WHERE invoiceNumber=$invoice";
Which will protect against sql injection as it escapes the var. 这将防止sql注入,因为它逃脱了var。
尝试这个
$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber=".addslashes($this->put('invoiceNumber'));
尝试带斜线
$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber='".($this->put('invoiceNumber')). "'";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.