stackoom
  简体   繁体   中英

Yii2, Can't Update the letter into database

 原文  2016-05-02 02:58:12       php/ sql-server/ sql-server-2008/ yii2

Question

I was studying Yii2

I found a few problem when I want to update value into the exists records

Here it's my code for update 

    <?php
    function UpdateValue($date_time,$svname,$tname,$path,$ttech){

    $folder='C:\xampp_x\htdocs\yii-application\frontend\web\readtext\\'.$path.'\\';
    $folder_dir=dir($folder);

    $connection = Yii::$app->db;

    while (($file = $folder_dir->read()) != false){
        $posl=strpos($file,'-');
        $posu=strpos($file,'_');
        if ($posl=='' and $posu==''){


            $name_ttech = 'app\models\\'.$ttech;

            $model_update1 = $name_ttech::find()
                ->select('No')
                ->where(['FileName' => $file]);

            if ($model_update1){

                foreach($model_update1->all() as $value_num){

                $num = $value_num->No;

                include $folder.$file;

                $command = $connection->createCommand(
                    'UPDATE '.$tname.' SET Value = '.$value.' WHERE No='.$num.',DateTimeBatch='.$date_time.',SeverName='.$svname);

                $command->execute(); 


                }

            }
        }
    }
}
    ?>

And the error

[1]: http://i.stack.imgur.com/DUFm2.png

  • I used SQL Server 2008

Thank you

2 answers

solution1
 0  2016-05-02 09:16:23

The problem is with your SQL query. You shoud use binding params via PDO, not just concatenated SQL query string. Because of concatenation values into SQL query are worst practices and leads to SQL injection.

In your error you can see that $value inside SQL query isn't escaped.

So example of your query should be like that 

$db->createCommand('UPDATE {$tname} SET Value = :value 
                    WHERE No=:num, DateTimeBatch=:datetime, SeverName=:server_name', [
    ':value' => $value,
    ':num' => $num,
    ':datetime' => $date_time,
    ':server_name' => $svname,
])->execute();

But also, you have some unclear logic in your code. You are using both Models classes to find rows, but also QueryBuilder to update them. You are including some strange logic from another file, but better you can incapsulate this logic in you Model class or helper(depends in what you are doing in that class).

solution2
 0  2016-05-02 09:18:06

You should learn how to use parameter binding to avoid this kind of error and security problems, eg : 

$connection->createCommand('UPDATE '.$tname.' SET Value = :value WHERE No=:num, DateTimeBatch=:date_time, ServerName=:svname', [
    ':value' => $value,
    ':no' => $num,
    ':date_time' => $date_time,
    ':serverName' => $svname,
])->execute();

Read more about binding parameters in Yii2 .

Or you could simply use an update command : 

$connection->createCommand()->update($tname, ['Value' => $value], ['No'=>$num, 'DateTimeBatch'=>$date_time , 'serverName'=>$svname ])->execute();

Read more about Yii2 update command .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can't update database in Yii 2 Yii2 Migration Not Update Database yii2 Why I can't store the data in database? yii2 image not saved in database and can't move to folder Yii2 Can't connect to the MongoDB cluster Can't Sort HasMany Relationship in Yii2 yii2 view can't find the package yii2 datepicker can't be rendered Yii2 Update Password Creating update in Yii2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM