堆栈内存溢出
  简体   繁体   English

Code Igniter SQL注入和查询结构(具有相同列名的动态where子句)

[英]Code Igniter SQL Injection and query structure (dynamic where clause with same column name)

 原文  2017-06-08 17:46:47       php/ mysql/ sql/ codeigniter/ query-builder

问题描述

I'm trying to make sure that my code igniter query is safe from sql injection but I can't really find an example illustrating this or explaining if these parameters I'm using are escaped/bound. 我试图确保我的代码点火器查询对于sql注入是安全的,但是我找不到真正的示例来说明此问题或解释我正在使用的这些参数是否已转义/绑定。 

$inputArray = [1,2,3,4,5];
$this->db_name->select('a_column');
$this->db_name->from('a_table');
foreach ($inputArray as $item) {
    $this->db_name->or_where('id',$item);
}

$query = $this->db_name->get();

Most importantly, are all the items that I'm checking for as a matching id from my input array bound/escaped to protect from SQL injection? 最重要的是,是否要绑定/转义要从输入数组中检查为匹配ID的所有项目,以防止SQL注入? If not, how should I structure it in a query like this? 如果没有,应该如何在这样的查询中构造它?

I don't really care for how I've structured this query any guidance on this would be appreciated. 我真的不在乎我如何构造此查询,对此的任何指导将不胜感激。 In fact I don't really like it at all but I need to make sure I'm using query building with code igniter in such a way that it will be easily switchable to a different database system if for whatever reason I wasn't using the one I'm using now (eg. mysql to oracle) - I also realize that a where clause that simple would probably never differ and is universal if I were to just put it in with regular SQL but I'm trying to learn best practices for CI when other scenarios come up and things might be more complicated or differ between database systems and syntax. 实际上,我一点都不喜欢它,但是我需要确保我使用的是带有代码点火器的查询构建,这样无论出于何种原因我都可以轻松地将其切换到其他数据库系统我现在正在使用的那个(例如,从mysql到oracle)-我也意识到,如果我只是将其与常规SQL一起使用,那么简单的where子句可能永远不会不同并且是通用的,但是我正在努力学习最好当其他情况出现时,CI的实践会变得更复杂,或者数据库系统和语法之间可能会有所不同。

Any help is much appreciated! 任何帮助深表感谢! Thanks. 谢谢。

1 个解决方案

解决方案1
 1 已采纳  2017-06-08 18:02:44

Yes it's protected. 是的,它受到保护。 From the CodeIgniter QueryBuilder documentation 来自CodeIgniter QueryBuilder文档

Beyond simplicity, a major benefit to using the Query Builder features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. 除了简单之外,使用查询生成器功能的主要好处是它允许您创建独立于数据库的应用程序,因为查询语法是由每个数据库适配器生成的。 It also allows for safer queries, since the values are escaped automatically by the system. 它还允许更安全的查询,因为这些值会由系统自动转义。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 CODE点火器数据表查询错误:where子句中的列“ Colname”不明确 - CODE igniter data table query error : Column 'Colname' in where clause is ambiguous 代码点火器或AND多个Where子句 - Code Igniter OR AND multiple Where clause 代码点火器在WHERE子句后追加IS NULL - code igniter appending IS NULL after WHERE clause Code Igniter SQL查询:如何创建此查询 - Code Igniter SQL Query: how to create this query 代码点火器 - 使用where和like的MySQL查询 - Code Igniter - MySQL query using where and like Code Igniter活动记录不适用于where子句中的日期 - Code Igniter active record not working for date in where clause Mysql_query'where子句'中的未知列'name' - Mysql_query Unknown column 'name' in 'where clause' 动态SQL查询->行数据到列名 - Dynamic SQL query - > row data to column name Mysql动态查询【sql注入】 - Mysql dynamic query [sql injection] 动态查询yii中的where子句 - Dynamic query where clause in yii
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM