在PHP中使用PDO查询十六进制数- PDO总是在十六进制数周围添加引号?

时间:2022-01-06 15:19:36

I am trying to execute this query using PDO:

我正在尝试使用PDO执行这个查询:

select * from users where uuid = 0x1e8ef774581c102cbcfef1ab81872213;

I pass this SQL query to the prepare method of PDO:

我将这个SQL查询传递给PDO的准备方法:

select * from users where uuid = :uuid

Then I pass this hashmap to execute:

然后我通过这个hashmap来执行:

Array ( [:uuid] => 0x1e8ef774581c102cbcfef1ab81872213 ) 

It looks like this query is being executed on the mysql server, when I call fetchAll:

看起来这个查询是在mysql服务器上执行的,当我调用fetchAll:

select * from users where uuid = '0x1e8ef774581c102cbcfef1ab81872213';

How can I execute the query without having PDO add the quotes around my hex?

如何在没有PDO在十六进制中添加引号的情况下执行查询?

Thanks, Steve

谢谢你,史蒂夫。

1 个解决方案

#1


0  

Your value HAS to be inserted as a string, as it's far beyond (128bit) what can be represented as a normal number in PHP in both 64bit and 32bit editions.

您的值必须作为字符串插入,因为它远远超出(128bit)在PHP中64位和32位版本中都可以表示为正常数字的值。

e.g. skip the placeholders and embed it into the query string directly:

例如,跳过占位符,直接嵌入到查询字符串中:

$uuid = '0x....';
$sql = "SELECT ... WHERE uuid = $uuid";

which means you lose the benefits of placeholders, and will have to deal with SQL injection mitigation directly.

这意味着您将失去占位符的好处,并且必须直接处理SQL注入缓解问题。

You don't mention which DBMS you're using, but you might be able to get around it by exploiting your DBMS's casting functions, eg.

你没有提到你使用的是哪种DBMS,但是你可以利用你的DBMS的强制转换函数来绕过它。

SELECT... WHERE uuid = CAST(:uuid AS uuid_type)

with this, even though it goes into the DB as a string, it'll be treated as a native uuid when push comes to shove.

有了这个,即使它作为一个字符串进入到DB中,当push来临时它也会被当作一个本地uuid。

#1


0  

Your value HAS to be inserted as a string, as it's far beyond (128bit) what can be represented as a normal number in PHP in both 64bit and 32bit editions.

您的值必须作为字符串插入,因为它远远超出(128bit)在PHP中64位和32位版本中都可以表示为正常数字的值。

e.g. skip the placeholders and embed it into the query string directly:

例如,跳过占位符,直接嵌入到查询字符串中:

$uuid = '0x....';
$sql = "SELECT ... WHERE uuid = $uuid";

which means you lose the benefits of placeholders, and will have to deal with SQL injection mitigation directly.

这意味着您将失去占位符的好处,并且必须直接处理SQL注入缓解问题。

You don't mention which DBMS you're using, but you might be able to get around it by exploiting your DBMS's casting functions, eg.

你没有提到你使用的是哪种DBMS,但是你可以利用你的DBMS的强制转换函数来绕过它。

SELECT... WHERE uuid = CAST(:uuid AS uuid_type)

with this, even though it goes into the DB as a string, it'll be treated as a native uuid when push comes to shove.

有了这个,即使它作为一个字符串进入到DB中,当push来临时它也会被当作一个本地uuid。