0

我想阻止我的注入语句,但我对活动记录和查询绑定感到困惑。

这是我当前的 mysql 查询,称为结果。

$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id
FROM exp_members as em
   INNER JOIN transactions as t on (em.member_id = t.cardid-10000000)
   INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id)
   INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id)
   INNER join exp_member_data as emd on em.member_id = emd.member_id
WHERE em.member_id = '".($_GET['cardid']-10000000)."'");

这就是我试图防止mysql注入的方式。这足够安全吗?

$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id
FROM exp_members as em
   INNER JOIN transactions as t on (em.member_id = t.cardid-10000000)
   INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id)
   INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id)
   INNER join exp_member_data as emd on em.member_id = emd.member_id
WHERE em.member_id = '".$this->db->escape(($_GET['cardid']-10000000))."'");

但这也是一种选择吗?

$this->load->database();
$this->load->library('table');

$this->db->select(' t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id');
$this->db->from('exp_members'); 
$this->db->join('transactions', 'exp_members.member_id = transactions.cardid-10000000', 'inner');
$this->db->join('exp_channel_titles', 'transactions.restaurant_id = exp_channel_titles.entry_id', 'inner');
$this->db->join('exp_channel_data', 'exp_channel_titles.entry_id = exp_channel_data.entry_id', 'inner');
$this->db->join('exp_member_data', 'exp_members.member_id = exp_member_data.member_id', 'inner');
$this->db->where('exp_members.member_id', $this->db->escape(($_GET['cardid']-10000000))); 
$query = $this->db->get();
echo $query;

这是足够安全还是正确的方法,还是我错过了什么。

4

1 回答 1

1

最后两种方法对于避免 SQL 注入是正确的。在最后一个代码中,使用 Active Record,您不需要调用 escape,因为 CodeIgniter 会自动执行此操作。

于 2013-05-07T21:10:05.600 回答