问题描述
我想知道如何在 where 子句中绑定值.我知道出于安全原因必须这样做.
I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
->select("*")
->from($db->quoteName("food"))
->where("taste = :taste")
->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();
我收到此错误:
您的 SQL 语法有错误;检查手册对应于您的 MySQL 服务器版本以使用正确的语法靠近第 3 行的 ':taste' SQL=SELECT * FROM food
WHEREtaste = :taste
我的代码基于这篇文章.它说在 Joomla 3.1 中只有PDO/Sqlite 和 PDO/Oracle 支持准备好的语句",我使用的是 Joomla 3.2.1 和 MySQL,在我的 Joomla 配置 MySQLi.可能是这个问题吗?
My code is based on this post. It said that in Joomla 3.1 only "PDO/Sqlite and PDO/Oracle are supporting prepared statements", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?
我很困惑,因为我不知道必须遵循什么 API/Class.
I am quite confused because I dont know what API / Class have to follow.
- JDatabase for Joomla 3.x 有没有绑定方法,而且资料很少,好像没有完成.
- JDatabase for Joomla 2.5 有更多信息,但显然是不是我的版本.没有绑定方法.
- JDatabaseQuery for Joomla 3.x 没有绑定方法
- JDatabaseQuerySqlite for Joomla 3.x 有 绑定方法
- JDatabaseQueryPdo for Joomla 3.x 没有绑定方法
- Joomla 3.x 的 JTable 有 绑定方法
- JDatabase for Joomla 3.x there is no bind method, and the information is scant, seems like is not completed.
- JDatabase for Joomla 2.5 has more information, but obviously is not my version. there is no bind method.
- JDatabaseQuery for Joomla 3.x there is no bind method
- JDatabaseQuerySqlite for Joomla 3.x has bind method
- JDatabaseQueryPdo for Joomla 3.x there is no bind method
- JTable for Joomla 3.x has bind method
我什至开始怀疑是否必须使用 JFactory::getDbo() 在 Joomla DB 中选择/插入/更新/删除数据.
Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.
提前致谢.
推荐答案
据我所知,您不能使用准备好的语句,也不能使用 Joomla 绑定值.
As far as I know, you can't use prepared statements nor bind values with Joomla.
如果您从 Joomla 文档 (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries),他们不讨论准备好的语句,只讨论使用强制转换或引用来避免 SQL 注入.
If you read the Secure Coding Guideliness from the Joomla documentation (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.
这篇关于如何在 Joomla 3 的查询中使用准备语句/绑定值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!