[英]Zend Framework Navigation, escape option to view html within a title?
[英]How to escape things within zend literal?
我正在創建一個高級搜索,並想通過將它們添加到一個數組來循環我的查詢:
private $searchFields = [
'as_first_name' => 'users.first_name like "%VALUE%"',
'as_last_name' => 'users.last_name like "%VALUE%"',
'as_payment_history_invoice_num' => 'users.user_id = (SELECT user_id from payment_history where payment_history.invoice_number = "VALUE" LIMIT 1)',
'as_building_num' => 'property_units.building_number like "%VALUE%"',
'as_residents_email' => 'users.email like "%VALUE%"',
'as_property_name' => 'property.name like "%VALUE%"',
'as_phone_num' => 'REPLACE(REPLACE(REPLACE(REPLACE(users.phone, " ", ""), "(", ""), ")", ""), "-", "") = "VALUE"',
'as_unit_num' => 'property_units.unit_number = "VALUE"',
'as_account_status' => 'user_status.status_name = "VALUE"'
];
所以在搜索我做的事情...
if (array_key_exists($key, $this->searchFields)) {
$form->get($key)->setValue($val);
$where->NEST->literal(str_replace('VALUE', urldecode($val), $this->searchFields[$key]))->UNNEST;
}
但問題是我沒有逃避任何事情。 不好。 我怎樣才能使用相同的結構,但也可以逃避。
Literal
謂詞適用於沒有占位符的情況。 您應該使用Expression
謂詞。
private $searchFields = [
'as_first_name' => 'users.first_name like "?"',
'as_last_name' => 'users.last_name like "?"',
'as_payment_history_invoice_num' => 'users.user_id = (SELECT user_id from payment_history where payment_history.invoice_number = "?" LIMIT 1)',
'as_building_num' => 'property_units.building_number like "?"',
'as_residents_email' => 'users.email like "?"',
'as_property_name' => 'property.name like "?"',
'as_phone_num' => 'REPLACE(REPLACE(REPLACE(REPLACE(users.phone, " ", ""), "(", ""), ")", ""), "-", "") = "?"',
'as_unit_num' => 'property_units.unit_number = "?"',
'as_account_status' => 'user_status.status_name = "?"'
];
zend-form值應該已經被解碼,因此不需要urldecode
if (array_key_exists($key, $this->searchFields)) {
$form->get($key)->setValue($val);
$where->NEST->expression($this->searchFields[$key], $val)->UNNEST;
}
我很長一段時間沒有使用zend-db,請確保檢查此代碼實際上是否產生了您需要的查詢。
你不應該使用urldecode
; 它應該在你到達之前解碼。 聽起來NEST
可能對這種情況太過花哨了。
foreach (...)
{
$val = ...; // Get the raw value from the form field ($_POST[...] or whatever)
$mval = addslashes($val);
$sf = $this->searchFields[...];
$msf = str_replace('VALUE', $mval, $sf);
... $msf ...
}
mysqli_real_escape_str
會比addslashes
更好,但你需要擁有mysql連接對象; 你有嗎?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.