使用 PHP 转义包含变量的 MySQL 查询
Escaping a MySQL query containing variables with PHP
我在一个WordPress网站上运行查询数据库的代码如下:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = \"John\" OR `value` = \"Smith\" OR `value` = \"22101\" ORDER BY `lead_id`" );
我想用预定义变量替换硬编码值。我尝试使用以下代码这样做:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = " . $data['voterdata_FirstName'] . " OR `value` = " . $data['voterdata_LastName'] . " OR `value` = " . $data['voterdata_VoterZip'] . " ORDER BY `lead_id`" );
不幸的是,第二个代码块不起作用。我注意到 OR 和 ORDER BY 条件没有被正确解释,但我不知道如何解决这个问题。我的串联看起来不错,所以我假设问题出在转义序列上。任何人都可以建议解决方案吗?
您仍然需要引用您的参数,因为在 mySQL 看到它们时它们实际上是常量。
试试这个:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = \"" . $data['voterdata_FirstName'] . "\" OR `value` = \"" . $data['voterdata_LastName'] . "\" OR `value` = \"" . $data['voterdata_VoterZip'] . "\" ORDER BY `lead_id`" );
更好的是,您可以用单个 IN 子句替换 OR:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = IN(\"" . $data['voterdata_FirstName'] . "\", \"" . $data['voterdata_LastName'] . "\", \"" . $data['voterdata_VoterZip'] . "\") ORDER BY `lead_id`" );
您的查询不等价 - 您忘记引用(并转义)您的变量:
[...snip...] OR `value` = " . $data['voterdata_LastName'] . " [...snip...]
^---------------------------------^--- PHP string delimiters, not sql
所以你正在生成
OR `value` = foo
而不是
OR `value` = 'foo'
老实说,我不确定问题是什么。 "Escaping the data for query",或 "Making this to work properly"(从引号的角度来看问题),或两者兼而有之。
通过这种方式,您需要知道 $wpdb->get_results() 将使用 $wpdb->query() 方法(检查 class here 的定义)
考虑到这一点,如果您检查有关此主题的 wordpress 文档,您需要 肯定会使用 $wpdb->prepare()(规则是:检查 documentation 实施前)。
这将为我们提供如下内容:
$wpdb->get_results(
$wpdb->prepare(
"SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = %s OR `value` = %s OR `value` = %s ORDER BY `lead_id`",
$name1,
$name2,
$name3
)
);
假设上面正确定义了名称。
谢谢你们的回复,伙计们。解决方法如下:
$entries = $wpdb->get_results( $wpdb->prepare(
"SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE ( `value` = %s OR `value` = %s OR `value` = %s ) ORDER BY `lead_id`",
array( $data['voterdata_FirstName'], $data['voterdata_LastName'], $data['voterdata_ZipCode'] )
)
);
我在一个WordPress网站上运行查询数据库的代码如下:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = \"John\" OR `value` = \"Smith\" OR `value` = \"22101\" ORDER BY `lead_id`" );
我想用预定义变量替换硬编码值。我尝试使用以下代码这样做:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = " . $data['voterdata_FirstName'] . " OR `value` = " . $data['voterdata_LastName'] . " OR `value` = " . $data['voterdata_VoterZip'] . " ORDER BY `lead_id`" );
不幸的是,第二个代码块不起作用。我注意到 OR 和 ORDER BY 条件没有被正确解释,但我不知道如何解决这个问题。我的串联看起来不错,所以我假设问题出在转义序列上。任何人都可以建议解决方案吗?
您仍然需要引用您的参数,因为在 mySQL 看到它们时它们实际上是常量。
试试这个:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = \"" . $data['voterdata_FirstName'] . "\" OR `value` = \"" . $data['voterdata_LastName'] . "\" OR `value` = \"" . $data['voterdata_VoterZip'] . "\" ORDER BY `lead_id`" );
更好的是,您可以用单个 IN 子句替换 OR:
$entries = $wpdb->get_results( "SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = IN(\"" . $data['voterdata_FirstName'] . "\", \"" . $data['voterdata_LastName'] . "\", \"" . $data['voterdata_VoterZip'] . "\") ORDER BY `lead_id`" );
您的查询不等价 - 您忘记引用(并转义)您的变量:
[...snip...] OR `value` = " . $data['voterdata_LastName'] . " [...snip...]
^---------------------------------^--- PHP string delimiters, not sql
所以你正在生成
OR `value` = foo
而不是
OR `value` = 'foo'
老实说,我不确定问题是什么。 "Escaping the data for query",或 "Making this to work properly"(从引号的角度来看问题),或两者兼而有之。
通过这种方式,您需要知道 $wpdb->get_results() 将使用 $wpdb->query() 方法(检查 class here 的定义)
考虑到这一点,如果您检查有关此主题的 wordpress 文档,您需要 肯定会使用 $wpdb->prepare()(规则是:检查 documentation 实施前)。
这将为我们提供如下内容:
$wpdb->get_results(
$wpdb->prepare(
"SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE `value` = %s OR `value` = %s OR `value` = %s ORDER BY `lead_id`",
$name1,
$name2,
$name3
)
);
假设上面正确定义了名称。
谢谢你们的回复,伙计们。解决方法如下:
$entries = $wpdb->get_results( $wpdb->prepare(
"SELECT `id`, `lead_id`, `form_id`, `field_number`, `value` FROM `wp_rg_lead_detail` WHERE ( `value` = %s OR `value` = %s OR `value` = %s ) ORDER BY `lead_id`",
array( $data['voterdata_FirstName'], $data['voterdata_LastName'], $data['voterdata_ZipCode'] )
)
);