I'm writing a large sql query based on information i'm getting from a submitted form that contains the search parameters. I'm just wondering if anyone has any recommendations on the best way of doing this. I was planning on having a list of if else statements and building a long search string based on the data the user enters search form.
我正在根据我从包含搜索参数的提交表单中获取的信息编写一个大型SQL查询。我只是想知道是否有人对这方面的最佳方式有任何建议。我计划根据用户输入搜索表单的数据列出if else语句列表并构建长搜索字符串。
Is there a better way of doing this? Any recommended sites or tutorials out there?
有更好的方法吗?那里有推荐的网站或教程吗?
Thanks.
谢谢。
3 个解决方案
#1
1
You'll still need to worry about accidental SQL injection. Don't skip escaping user input.
您仍然需要担心意外的SQL注入。不要跳过转义用户输入。
As for actually building the query itself: It's not terribly uncommon to use php's control structures to concatenate a series of query parts, but many people find tools like the Zend Framework to be really handy.
至于实际构建查询本身:使用php的控制结构连接一系列查询部分并不是非常罕见,但很多人发现像Zend Framework这样的工具非常方便。
#2
2
First of all I would use a prepared statement because there is no reason not to and I never trust user input.
首先,我会使用准备好的声明,因为没有理由不这样做,我从不信任用户输入。
If you have your variables in an array or an object, I would just loop through it and add the variable and value if it is set in the $_POST array. Note that I am looping through my array or object - not $_POST - which basically acts as a white-list.
如果你有一个数组或一个对象的变量,我只是循环它并添加变量和值,如果它在$ _POST数组中设置。请注意,我循环遍历我的数组或对象 - 而不是$ _POST - 它基本上充当白名单。
You might need some additional checks for checkboxes that are changed and not set as they will not appear in the $_POST array.
您可能需要对已更改但未设置的复选框进行一些额外检查,因为它们不会出现在$ _POST数组中。
#3
0
Trust but check. It's simple escape all incoming parameters.
信任但检查。它很简单地逃避所有传入的参数。
mysql_real_escape_string
mysql_real_escape_string
#1
1
You'll still need to worry about accidental SQL injection. Don't skip escaping user input.
您仍然需要担心意外的SQL注入。不要跳过转义用户输入。
As for actually building the query itself: It's not terribly uncommon to use php's control structures to concatenate a series of query parts, but many people find tools like the Zend Framework to be really handy.
至于实际构建查询本身:使用php的控制结构连接一系列查询部分并不是非常罕见,但很多人发现像Zend Framework这样的工具非常方便。
#2
2
First of all I would use a prepared statement because there is no reason not to and I never trust user input.
首先,我会使用准备好的声明,因为没有理由不这样做,我从不信任用户输入。
If you have your variables in an array or an object, I would just loop through it and add the variable and value if it is set in the $_POST array. Note that I am looping through my array or object - not $_POST - which basically acts as a white-list.
如果你有一个数组或一个对象的变量,我只是循环它并添加变量和值,如果它在$ _POST数组中设置。请注意,我循环遍历我的数组或对象 - 而不是$ _POST - 它基本上充当白名单。
You might need some additional checks for checkboxes that are changed and not set as they will not appear in the $_POST array.
您可能需要对已更改但未设置的复选框进行一些额外检查,因为它们不会出现在$ _POST数组中。
#3
0
Trust but check. It's simple escape all incoming parameters.
信任但检查。它很简单地逃避所有传入的参数。
mysql_real_escape_string
mysql_real_escape_string