php 在 Laravel 4 中转义原始 SQL 查询
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18951057/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Escape raw SQL queries in Laravel 4
提问by Dwight
How does one go about escaping parameters passed to a raw query in Laravel 4? I expected something like DB::escape()(which rings a bell from Laravel 3) and also attempted DB::quote()(which I thought could be available through the PDO object)
如何在 Laravel 4 中转义传递给原始查询的参数?我期待类似DB::escape()(它从 Laravel 3 中敲响钟声)并尝试过DB::quote()(我认为可以通过PDO 对象获得)
$query = DB::select("SELECT * FROM users WHERE users.id = " . DB::escape($userId));
We can't use the select method with placeholders as the above is just a simplified example of what we are trying to achieve.We have a large custom query with a few nested select queries that cannot be adapted to the query builder.
我们不能使用带有占位符的 select 方法,因为上面只是我们试图实现的一个简化示例。我们有一个大型自定义查询,其中包含一些无法适应查询构建器的嵌套选择查询。
What is the best approach to escaping something prior to inserting in Laravel 4?
在插入 Laravel 4 之前转义某些内容的最佳方法是什么?
EDIT:
编辑:
I've just discovered that you can access the PDO object and use the quote function on it this way. Is this still the best approach, or is there an easier way to access this function?
我刚刚发现您可以通过这种方式访问 PDO 对象并在其上使用引用函数。这仍然是最好的方法,还是有更简单的方法来访问此功能?
DB::connection()->getPdo()->quote("string to quote");
回答by Dwight
You can quote your strings this way, through the DBfacade.
您可以通过DB外观以这种方式引用您的字符串。
DB::connection()->getPdo()->quote("string to quote");
I did put this answer in my question when I discovered it, however I've now put it in as an actual answer to make it easier for others to find.
当我发现它时,我确实把这个答案放在了我的问题中,但是我现在把它作为一个实际的答案,以便其他人更容易找到。
回答by Arun Kumar M
回答by The Alpha
You may also try this, (Read Documentation)
你也可以试试这个,(阅读文档)
$results = DB::select('SELECT * FROM users WHERE users.id = ?', array($userId));
回答by J. Bruni
I'm using this in my helpers.phpat Laravel 5:
我helpers.php在 Laravel 5 中使用它:
if ( ! function_exists('esc_sql'))
{
function esc_sql($string)
{
return app('db')->getPdo()->quote($string);
}
}
Then I can use esc_sqlfunction where I need to pergorm escaping for raw SQL queries.
然后我可以esc_sql在需要为原始 SQL 查询进行 pergorm 转义的地方使用函数。
回答by Rafa? G.
I found this question when looking for generic sql escaping in Laravel. What I actually needed though was table/column name escaping. So, for future reference:
我在 Laravel 中寻找通用 sql 转义时发现了这个问题。我实际需要的是表/列名称转义。因此,以供将来参考:
/**
* Quotes database identifier, e.g. table name or column name.
* For instance:
* tablename -> `tablename`
* @param string $field
* @return string
*/
function db_quote_identifier($field) {
static $grammar = false;
if (!$grammar) {
$grammar = DB::table('x')->getGrammar(); // The table name doesn't matter.
}
return $grammar->wrap($field);
}
回答by Sonny
Two answers here, that I use, have less verbose solutions built into the DBfacade.
我在这里使用的两个答案在DB外观中内置了不那么冗长的解决方案。
First, value quoting:
首先,价值引用:
// From linked answer
DB::connection()->getPdo()->quote("string to quote");
// In the DB facade
DB::getPdo()->quote('string to quote');
Second, identifier quoting(table and column names):
二、标识符引用(表名和列名):
// From linked answer
DB::table('x')->getGrammar()->wrap('table.column');
// In the DB facade
DB::getQueryGrammar()->wrap('table.column');
回答by mpen
Here's a fuller example, showing how to escape both values and columns and extend Laravel's querybuilder:
这是一个更完整的示例,展示了如何转义值和列并扩展 Laravel 的查询构建器:
<?php
namespace App\Providers;
use Illuminate\Database\Query\Builder;
use Illuminate\Support\ServiceProvider;
class DatabaseQueryBuilderMacroProvider extends ServiceProvider {
public function register() {
Builder::macro('whereInSet', function($columnName, $value) {
/** @var \Illuminate\Database\Query\Grammars\Grammar $grammar */
$grammar = $this->getGrammar();
return $this->whereRaw('FIND_IN_SET(?,' . $grammar->wrap($columnName) . ')', [$value]);
});
}
}
