New users ask how to prevent SQL injection by fuzzy query // create a table model
$ News_table = new news ();
// Create the corresponding adapter
$ Db = $ news_table-> getAdapter ();
// Prepare SQL statements
$ SQL = $ db-> quoteInto ("select title, pubDate from news where title like '% $ keyword_arr [0] % '");
// Obtain the result set
$ Res = $ db-> query ($ SQL)-> fetchAll ();
I need to perform fuzzy query. I want to include the "%" sign, and the variable name "$" and the array subscript operator "[]". However, I want to prevent others from using "%" and other such items for SQL injection, how should I write this sentence ??
Reply to discussion (solution)
Add mysql_real_escape_string ();
However, mysql_real_escape_string does not escape % and _. Therefore, you can use str_replace () to remove unwanted symbols.
This SQL statement can be written for me.
I'm a Cainiao.
This SQL statement can query the results, but one error and one warning are recorded in my error log file.
PHP Warning: Missing argument 2 for Zend_Db_Adapter_Abstract: quoteInto (),
Called in E: \ myenv \ Apache \ htdocs \ news \ application \ controllers \ NewsqueryController. php on line 44 and defined in E: \ myenv \ Apache \ htdocs \ news \ library \ Zend \ Db \ Adapter \ Abstract. php on line 927
PHP Notice: Undefined variable: value in
E: \ myenv \ Apache \ htdocs \ news \ library \ Zend \ Db \ Adapter \ Abstract. php
On line 930
I don't know where the problem is
1. the end_Db_Adapter_Abstract: quoteInto () function in the Abstract. php 927 row loses parameter 2, that is, you have missing a parameter
2. PHP Notice: Undefined variable: value
$ Value is not defined. in the Abstract. php 930 line
% How to implement this injection?
I also want to know that it is necessary to filter the parameters and find out the characters to be filtered, force exit or replace them.
Mysql_real_escape_string
And
Mysql_escape_string
What are the differences ??
$ Db-> quoteInto ("select title, pubDate from news where title like '% $ keyword_arr [0] % '");
The quoteInto method requires two parameters.
To #7
The latter has been included in the outdated series