0

这种方法;

Route::get('admin/user/delete/(:any)', array('as' => 'username', 'uses' => 'admin@user_delete_process'));

public function action_user_delete_process($username)
{
    $result = User::find($username)->delete();
}

我需要担心注射吗?

4

1 回答 1

1

一般来说,ORM 处理所有的转义。除非您传递原始 SQL 查询,否则您应该可以在不转义输入的情况下进行操作。为了确认,我挖掘了 Laravel 的代码,发现了这个execute()方法,它确实利用了PDO::prepare

/** laravel/database/connection.php, lines 219-278 */
protected function execute($sql, $bindings = array())
{
    /* ... */
    try
    {
        $statement = $this->pdo->prepare($sql);

        $start = microtime(true);

        $result = $statement->execute($bindings);
    }
    // If an exception occurs, we'll pass it into our custom exception
    // and set the message to include the SQL and query bindings so
    // debugging is much easier on the developer.
    catch (\Exception $exception)
    {
        $exception = new Exception($sql, $bindings, $exception);

        throw $exception;
    }
    /* ... */
}
于 2013-04-07T22:54:52.183 回答