Introduction to the query condition preprocessing of ThinkPHP3.1 new features _php instance

The previous ThinkPHP3.0 version of the query condition for the array method is safe filtering (this is because the 3.0 enforces the use of field type detection, so that the query conditions for arrays are cast to the set type of the field), but the 3.0 version does not support security filtering of string conditions. The ThinkPHP3.1 version adds support for preprocessing of conditional strings, which makes ORM security more secure.

First, use the Where method

The Where method of the Model class supports preprocessing of string conditions using the following methods: $Model->where ("id=%d and Username= '%s ' andxx= '%f '", Array ($id, $username, $xx))- >select ();

or directly using:

$Model->where ("id=%d and Username= '%s ' and xx= '%f '", $id, $username, $xx)->select ();

If the $id variable comes from a user commit or URL address, if the incoming non-numeric type is forced to be formatted as a number format, the query operation is performed.

String preprocessing format types support specifying numbers, strings, and so on, so you can refer to the parameter descriptions of the vsprintf method.

Ii. using the query and Execute methods

In addition to the Where condition, the preprocessing mechanism is supported for native SQL queries, such as:

$Model->query ("select * from Think_user where id=%d and Username= '%s ' and xx= '%f '", Array ($id, $username, $xx));

The Execute method of the model supports the preprocessing mechanism as well as the query method.

