0

我正在阅读扩展文件,并查看以下代码:

$GLOBALS['TYPO3_DB']->exec_UPDATEquery(
            'tx_jcjob_job',
            'uid = '.$this->piVars['job'],
            array('hit_counter' => 'hit_counter + 1'),
            array('hit_counter')
        );

然后在 file:class.t3lib_db.php中,我检查了两个函数function exec_UPDATEqueryfile()

     * @param   string      Database tablename
     * @param   string      WHERE clause, eg. "uid=1". NOTICE: You must escape values in this argument with $this->fullQuoteStr() yourself!
     * @param   array       Field values as key=>value pairs. Values will be escaped internally. Typically you would fill an array like "$updateFields" with 'fieldname'=>'value' and pass it to this function as argument.
     * @param   string/array        See fullQuoteArray()
     * @return  pointer     MySQL result pointer / DBAL object
     */
    function exec_UPDATEquery($table, $where, $fields_values, $no_quote_fields = FALSE)

function fullQuoteArray()

/**
     * Will fullquote all values in the one-dimensional array so they are ready to "implode" for an sql query.
     *
     * @param   array       Array with values (either associative or non-associative array)
     * @param   string      Table name for which to quote
     * @param   string/array        List/array of keys NOT to quote (eg. SQL functions) - ONLY for associative arrays
     * @return  array       The input array with the values quoted
     * @see cleanIntArray()
     */
     function fullQuoteArray($arr, $table, $noQuote = FALSE)

但我仍然有问题:

这是如何工作的:array('hit_counter')?或者换句话说,它是如何function fullQuoteArray()工作的?这是什么意思:fullquote all values in the one-dimensional array

4

1 回答 1

0

On each array value the function real_escape_string (since 6.x) or mysql_real_escape (before 6.x) is used. So, every value should be SQL-Injection save.

There is no magic inside :)

于 2013-07-29T07:14:01.787 回答