在Cakephp中,如果我使用直接mysql查询而不是使用模型,如何防止sql注入?
[英]In Cakephp, how to prevent sql injection if I use direct mysql queires rather than using models?
问题描述
I have to deal with large mysql DB. 
我必须处理大型mysql DB。 Sql queries with lot of calculations (in select clause) and several kind of conditions in where clauses. 具有大量计算(在select子句中)和where子句中几种条件的sql查询。 So, I decided to use row/direct sql queries to deal with DB by using $db = ConnectionManager::getDataSource('default'); 因此,我决定通过$db = ConnectionManager::getDataSource('default');使用行/直接sql查询来处理数据库$db = ConnectionManager::getDataSource('default');
If I use this, how I prevent sql injection in mysql query? 如果使用此功能,如何防止mysql查询中的sql注入? "mysql_real_escape_string" no longer exists. “ mysql_real_escape_string”不再存在。 Is there any way to use PDO within CakePHP? 有什么方法可以在CakePHP中使用PDO?
2 个解决方案
解决方案1
2 已采纳 2016-02-11 12:53:11
You can use this in your controller (or component) 您可以在控制器(或组件)中使用它
// Initiate PDO connection
$this->_pdocon = $this->WhateverYourModel->getDataSource()->getConnection();
try {
// Select Query
$company = "What";
$stmt = $this->_pdocon->prepare('SELECT * FROM `agents` WHERE `company` LIKE :company LIMIT 2');
$stmt->bindValue(':company', $company, PDO::PARAM_STR);
// Start transaction
$this->_pdocon->begin();
// Loop through the events
if( $stm->execute() ) {
while ($row = $stmt->fetchAll(PDO::FETCH_ASSOC)) {
$stmt2 = $this->_pdocon->prepare("INSERT INTO `company`
(`id`, `name`, `identityno`, `modified`, `created`)
VALUES
(NULL, :name, :identityno, NOW(), NOW())");
$stmt2->bindValue(':name', $row['name'], PDO::PARAM_STR);
$stmt2->bindValue(':identityno', $row['id'], PDO::PARAM_INT);
$stmt2->execute();
}
}
// Commit transaction
$this->_pdocon->commit();
// Get last insert Id
$row_id = $this->_pdocon->lastInsertId();
var_dump($row_id);
} catch (PDOException $e) {
// Rollback transaction
$this->_pdocon->rollback();
echo "! PDO Error : " . $e->getMessage() . "<br/>";
}
This is what I ended-up. 这就是我的结局。 Using PDO has been solved thousands of issues. 使用PDO已解决了数千个问题。 Now the system is fast and no memory exhaust error. 现在,系统运行很快,并且没有内存耗尽错误。 And I can not putting all issues, errors what I got, in my question. 而且我不能将所有问题,错误弄清楚。 It's good to giving direct answer rather trying to changing questions in here! 给出直接答案而不是尝试在此处更改问题是很好的!
解决方案2
1 2016-02-10 16:34:57
A large part of the point of cakePhp is not to do this. cakePhp的主要目的不是这样做。 Therefore I would recommend not doing this. 因此,我建议不要这样做。
Cakephp has a its own implementation for accessing a DB and you should use it if at all possible. Cakephp有一个自己的访问数据库的实现,您应该尽可能使用它。 Is there a particular reason you want to go around it? 您是否有特定原因想解决?
if you realy want to, you can still use mysqli but I cant recommend it. 如果您确实想要,您仍然可以使用mysqli,但我不推荐使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.