0

我正在制作一个函数来完全查询我的数据库,使用关键字搜索($wordsToSearch)或一些类别标签单词($tagsToSearch)(如果有)。
这是我的功能,它不安全,因为我使用 concat 添加查询的某些部分。我应该如何使用 PDO 过滤变量,然后在需要时添加查询的一部分?
感谢大家

$wordsToSearch = " ";
$tagsToSearch = " ";

if(is_string($search)){
    $wordsToSearch = "WHERE (
                            `artist_nm` LIKE  '%".$search."%'
                            OR  `place` LIKE  '%".$search."%'
                            )";
}
if(is_string($searchtags)){
    $arrayTags = explode(',', $searchtags);
    $tagsToSearch = "HAVING (
                            `tags` LIKE  '%".$arrayTags[0]."%' ";
    foreach ($arrayTags as $key => $value) {
        if($key != 0 && $key <= 20)  {
            $tagsToSearch .= "OR `tags` LIKE  '%".$value."%' ";
        }
    }
    $tagsToSearch .= ")";

}

$database->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$STH = $database->prepare('SELECT id, lat, lng, CONCAT_WS(  "/&/", total, tags ) AS data
    FROM (SELECT lat, lng, id, CONCAT_WS(  "/&/", img_link, artist_nm, page_link, place, Total_Rating, Rating_Number ) AS total, GROUP_CONCAT( tag_name
    SEPARATOR  "," ) AS tags
    FROM images
    LEFT OUTER JOIN tbl_places ON images.id = tbl_places.KE_img
    LEFT OUTER JOIN rel_tags ON images.id = rel_tags.Id_immagine
    LEFT OUTER JOIN tags ON tags.Id_tag = rel_tags.Id_tag
    '.$wordsToSearch.'
    GROUP BY id '.$tagsToSearch.'
    ) AS subquery
    '); 
try {
    $STH->execute();
} catch(PDOException $e){
    echo $e->getMessage();
    die();
}
4

1 回答 1

0

您正在寻找准备好的请求。您必须使用prepare()以下方法使用一些参数编译您的查询:

<?php

// With placeholders
$sth = $database->prepare('SELECT * FROM table WHERE id = ?'); 

// With named parameters
$sth = $database->prepare('SELECT * FROM table WHERE id = :id');

?>

然后您可以使用以下方法执行查询execute()

<?php

// With placeholders
$sth->bindParam(1, $yourId, PDO::PARAM_INT);
$sth->execute();
// or
$sth->execute(array($yourId));

// With named parameters
$sth->bindParam(':id', $yourId, PDO::PARAM_INT);
$sth->execute();
// or
$sth->execute(array(':id' => $yourId));

?>

编辑:

当然你可以放多个参数:

<?php

// With placeholders
$sth = $database->prepare('SELECT * FROM table WHERE username = ? AND password = ?');
$sth->bindParam(1, $username, PDO::PARAM_STR);
$sth->bindParam(2, $password, PDO::PARAM_STR);
$sth->execute();
// or
$sth->execute(array($username, $password));


// With named parameters
$sth = $database->prepare('SELECT * FROM table WHERE username = :username AND password = :password');
$sth->bindParam(':username', $username, PDO::PARAM_STR);
$sth->bindParam(':password', $password, PDO::PARAM_STR);
$sth->execute();
// or
$sth->execute(array(':username' => $username, ':password' => $password));

?>

文档中的更多信息。

于 2014-01-29T10:05:53.223 回答