At the moment I am using:
目前我正在使用:
DB::select('select * from users ');
but now I'm reading on http://laravel.com/docs/4.2/queries
但是现在我正在阅读http://laravel.com/docs/4.2/queries
about:
内容:
$users = DB::table('users')->get();
Both give back the same. Is there something different between these two?
两者都给予同样的回报。这两者之间有什么不同吗?
In the documentation it does say: Note: The Laravel query builder uses PDO parameter binding throughout to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.
在文档中,它确实写道:注意:Laravel查询构建器在整个过程中使用PDO参数绑定,以保护应用程序免受SQL注入攻击。不需要清除作为绑定传递的字符串。
For the second method. Does this mean the first method doesn't protect you against SQL injection? Is the second method a better way? Both return the results in a different way as well right?
第二种方法。这是否意味着第一个方法不能保护您不受SQL注入的影响?第二种方法更好吗?两者都以不同的方式返回结果,对吗?
Can I get some explanation about this?
我能解释一下吗?
1 个解决方案
#1
3
No, the only difference here is the syntax. Yes, a DB::select doesn't protect against SQL injection. But SQL injection is only a risk when you pass in user input. For example this is vulnerable to SQL injection:
不,这里唯一的区别是语法。是的,DB::select不保护SQL注入。但是,只有在传入用户输入时,SQL注入才会带来风险。例如,这很容易受到SQL注入的影响:
DB::select('SELECT * FROM users WHERE name = "'.Input::get('name').'"');
Whereas this is not:
而这不是:
DB::table('users')->where('name', Input::get('name'))->get();
But also this isn't: (Using bindings "manually")
但这也不是:(使用“手动”绑定)
DB::select('SELECT * FROM users WHERE name = ?', array(Input::get('name')));
The great advantage of the query builder (besides automatically protecting against SQL injection) is it's flexible syntax. For example you could use a loop to add where statements:
查询构建器的最大优点(除了自动保护不受SQL注入的影响之外)是它灵活的语法。例如,您可以使用循环来添加where语句:
$query = DB::table('users');
foreach($names as $name){
$query->orWhere('name', 'LIKE', $name.'%');
}
$result = $query->get();
#1
3
No, the only difference here is the syntax. Yes, a DB::select doesn't protect against SQL injection. But SQL injection is only a risk when you pass in user input. For example this is vulnerable to SQL injection:
不,这里唯一的区别是语法。是的,DB::select不保护SQL注入。但是,只有在传入用户输入时,SQL注入才会带来风险。例如,这很容易受到SQL注入的影响:
DB::select('SELECT * FROM users WHERE name = "'.Input::get('name').'"');
Whereas this is not:
而这不是:
DB::table('users')->where('name', Input::get('name'))->get();
But also this isn't: (Using bindings "manually")
但这也不是:(使用“手动”绑定)
DB::select('SELECT * FROM users WHERE name = ?', array(Input::get('name')));
The great advantage of the query builder (besides automatically protecting against SQL injection) is it's flexible syntax. For example you could use a loop to add where statements:
查询构建器的最大优点(除了自动保护不受SQL注入的影响之外)是它灵活的语法。例如,您可以使用循环来添加where语句:
$query = DB::table('users');
foreach($names as $name){
$query->orWhere('name', 'LIKE', $name.'%');
}
$result = $query->get();