使用插件实际上可能就这么简单: $ query = $ this->学院-> find('搜索'，['搜索'=>$ this->请求->查询]);$ this-> set('results，$ this-> Paginator-> paginate($ query)); 搜索参数本身将在模型层中处理，请查看插件文档.该框架将负责清理输入.以上内容要求您实际上了解框架的最基础知识，并且了解您的工作.如果出于某种原因对不使用框架提供的内容不感兴趣，那么最好不要使用它们，因为这只会堆积无法维护的代码并造成开销.How to prevent SQL Injection while fetching data from the database when using parameters received from the user input: if(isset($_GET['cityval']) && $_GET['cityval'] !=''){ $city = $this->request->query('cityval'); $searching .= " and college_city in ($city) "; } else { $searching .= ""; } if(isset($_GET['scholarship']) && $_GET['scholarship'] !=''){ $searching .= " and college_scholarship = '".$_GET['scholarship']."' "; } else { $searching .= ""; }And my main query is below$search = $this->Search->query("select * from colleges where college_id!='' and status='active' $searching order by $order desc limit $start, 10 "); 解决方案 Start actually using the framework or don't use it at all. You're not using the request object, you're not using the ORM, you're working against and around the framework. From your code it is totally clear that you haven't bothered to spend some time reading the manual.wcomniskys answer has a ton of not required code nor is this answer using the framework in it's intended way either.If you care about creating some well written code then you really should start by doing the blog tutorial of the official documentation book.cakephp.org. If not stop reading and do what wcomniskys proposes. It might work but it's not good code nor the correct way to use the framework nor is it the most simple solution. If you don't have an interest in doing things properly you can stop reading by now.What you try to do is obviously to search by get parameters. There is a wonderful plugin that makes it pretty easy https://github.com/FriendsOfCake/searchIt could be actually that easy with the plugin:$query = $this->Colleges->find('search', [ 'search' => $this->request->query]);$this->set('results', $this->Paginator->paginate($query));The search params itself will be handled in the model layer, check the plugins documentation on that. And the framework will take care of sanitizing the input.The above requires that you actually understood the very basics of the framework and that you know what you do. If you have no interest for whatever reason to not use what the framework offers you it will be better to not use it at all because you'll just pile up unmaintainable code and cause overhead. 这篇关于如何使用CakePHP防止参数中的SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！