how to prevent sql injection from this query?

2020-05-06 23:31发布

I am using Yii 1, I want to build the following query:

$a = Model::model()->findAllBySql(
              'SELECT * FROM table WHERE name like "%'.$_GET['name'].'%"'
              );

To prevent the sql injection I wrote it as follow:

 $a = Model::model()->findAllBySql(
                      'SELECT * FROM table WHERE name like "%:name%"',
                      array("name"=>$_GET['name'])
                      );

but it returned no data. Are there any errors in this query ?

标签： php mysql mysqli yii sql-injection

1条回答

▲ chillily

2楼-- · 2020-05-06 23:47

When the placeholder is quoted it is not a placeholder, it is the literal value. Try it this way:

$a = Model::model()->findAllBySql(
                      'SELECT * FROM table WHERE name like :name',
                      array(":name"=> '%' . $_GET['name'] . '%')
                      );

The driver currently auto-appends the colons but it might not in the future, it is best to have the name match the placeholder.

0人赞添加讨论(0) 举报

how to prevent sql injection from this query?

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间