Novice ask how fuzzy queries prevent SQL injection

Source: Internet
Author: User
Creating a Table Model
$news _table=new News ();
Create the appropriate adapter
$db = $news _table->getadapter ();
Prepare the SQL statement.
$sql = $db->quoteinto ("Select Title,pubdate from the news where title like '% $keyword _arr[0]% '");
Get result set
$res = $db->query ($sql)->fetchall ();
I need to fuzzy query, intentionally to take the% number, but also has the variable name $ number, the array subscript operator [], but also to prevent others to use such things as% of SQL injection, this sentence how to write ah??


Reply to discussion (solution)

Add a mysql_real_escape_string ();
However mysql_real_escape_string do not escape the% and _ so you can Str_replace (), remove the unwanted symbols.

This SQL can help write it out to me try not
I'm a rookie.

This SQL can query the results, but I recorded 1 errors and a warning in my error log file.
PHP warning:missing Argument 2 for Zend_db_adapter_abstract::quoteinto (),
Called in E:\myenv\Apache\htdocs\news\application\controllers\NewsqueryController.php on line, and defined in E:\ myenv\apache\htdocs\news\library\zend\db\adapter\abstract.php on line 927

PHP notice:undefined Variable:value in
E:\myenv\Apache\htdocs\news\library\Zend\Db\Adapter\Abstract.php
On line 930
I don't know where there's a problem.

1, abstract.php 927 line of the End_db_adapter_abstract::quoteinto () function is missing parameter 2, that is, you pass a parameter less
2, PHP notice:undefined variable:value
$value not defined, in abstract.php 930 lines

% how to achieve this injection?

I also want to know, should be to filter the parameters, found to filter the characters, forced to quit or replace.

Mysql_real_escape_string
And
Mysql_escape_string

What's the difference??

$db-Quoteinto ("Select Title,pubdate from the news where title like '% $keyword _arr[0]% '");
Method Quoteinto requires two parameters

To #7
The latter has been included in the obsolete series

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.