我正在使用 MySQL 来执行查询:
public function query($query, $params = array(), $format = array()) {
if ( !is_array( $params ) ) return false;
$dbh = parent::$dbh;
if ( empty($dbh) ) return false;
$stmt = $dbh->prepare($query);
if ( !empty($format)) {
$values = array_values($params);
foreach ( $format as $key => $bind ) {
switch ($bind) {
case '%d':
$stmt->bindValue($key + 1, $values[$key], PDO::PARAM_INT);
break;
case '%s':
$stmt->bindValue($key + 1, $values[$key], PDO::PARAM_STR);
break;
default:
$stmt->bindValue($key + 1, $values[$key], PDO::PARAM_STR);
break;
}
}
}
$stmt->execute($params);
return $stmt;
}
如何安全地从使用 LIKE 的搜索中删除无效字符:
例如:
$filter = "filter's";
if (isset($filter)) {
$search_filter = 'content LIKE \'%'.$filter.'%\'';
$sql = "SELECT $search_filter FROM messages";
$stmt = $this->query($sql);
}