在 Laravel 中使用 DB :: select 和其他人是否安全?
Is it safe to use DB :: select and others in Laravel?
查询并不总是简单的,有时我需要创建一个纯粹的 SQL 查询,查询生成器也不适合。
使用 DB::select 时,
请求中替换的变量?
这种情况下会有sql注入吗?
$mastersInCity = DB::select('SELECT
master_user.master_id,
masters.specialization,
category_letter_master.category_letter_id AS master_letter,
COUNT(*) AS count_in_city
FROM master_user
LEFT JOIN masters ON master_user.master_id = masters.id
LEFT JOIN category_letter_master ON category_letter_master.master_id = master_user.master_id
WHERE ' . $chooiseId . ' = ' . $cityId . ' GROUP
BY master_user.master_id, master_letter');
或者,这种情况下,直接使用PDO比较好,自己手动准备请求,可以吗?
$mastersInCity = DB::select('SELECT
master_user.master_id,
masters.specialization,
category_letter_master.category_letter_id AS master_letter,
COUNT(*) AS count_in_city
FROM master_user
LEFT JOIN masters ON master_user.master_id = masters.id
LEFT JOIN category_letter_master ON category_letter_master.master_id = master_user.master_id
WHERE ? = ? GROUP
BY master_user.master_id, master_letter', [$chooiseId, $cityId]);
这相当于准备好的语句。
文档:https://laravel.com/docs/5.7/database#running-queries
编辑:我相信这可以用 eloquent 简单地完成,这里没有什么太复杂的。类似于:
MasterUser::with(['master', 'master_letter'])->withCount()->where($chooiseId, $cityId)->get()
查询并不总是简单的,有时我需要创建一个纯粹的 SQL 查询,查询生成器也不适合。 使用 DB::select 时, 请求中替换的变量?
这种情况下会有sql注入吗?
$mastersInCity = DB::select('SELECT
master_user.master_id,
masters.specialization,
category_letter_master.category_letter_id AS master_letter,
COUNT(*) AS count_in_city
FROM master_user
LEFT JOIN masters ON master_user.master_id = masters.id
LEFT JOIN category_letter_master ON category_letter_master.master_id = master_user.master_id
WHERE ' . $chooiseId . ' = ' . $cityId . ' GROUP
BY master_user.master_id, master_letter');
或者,这种情况下,直接使用PDO比较好,自己手动准备请求,可以吗?
$mastersInCity = DB::select('SELECT
master_user.master_id,
masters.specialization,
category_letter_master.category_letter_id AS master_letter,
COUNT(*) AS count_in_city
FROM master_user
LEFT JOIN masters ON master_user.master_id = masters.id
LEFT JOIN category_letter_master ON category_letter_master.master_id = master_user.master_id
WHERE ? = ? GROUP
BY master_user.master_id, master_letter', [$chooiseId, $cityId]);
这相当于准备好的语句。
文档:https://laravel.com/docs/5.7/database#running-queries
编辑:我相信这可以用 eloquent 简单地完成,这里没有什么太复杂的。类似于:
MasterUser::with(['master', 'master_letter'])->withCount()->where($chooiseId, $cityId)->get()