Parameter filtering
1, for parameter bindings that cannot be directly used with PDO, you can use the sprintf simulation and filter using New_addslashes, and then use Query to execute the stitched SQL
Percent-return percentage symbol
%b-Binary number
%c-Characters in accordance with ASCII values
%d-Signed decimal number
%e-Sustainable counting method (e.g. 1.5e+3)
%u-Unsigned decimal number
%f-Floating point (Local settings Aware)
%F-Floating point number (not local settings aware)
%o-Eight binary number
%s-String
%x-16 binary number (lowercase letters)
%x-16 decimal digits (uppercase letters)
The Addslashes () function adds a backslash before the specified predefined character.
These predefined characters are:
Single quotation mark (')
Double quotation marks (")
Back slash (\)
Null
$str =array (' table ' = ' user ', ' username ' = ' yak ', ' salary ' = ' or ' 1=1 ');
$arr =new_addslashes ($STR)//filter characters
Extract ($arr);//output array variable
$sql =sprintf ("update%s set salary=salary+1000 where username=%s and salary =%d", $table, $username, $salary);
Use the sprintf function to simulate the parameter bindings for PDO.
SQL statement Execution
For easy execution of SQL, it is best to use the Quer method and use ShowMessage to prompt and jump after execution, and finally bind the template
Public Function Execsql () {
$this->member_detail=ec_main::get_m (' Member_detail_model ');
$this->member_detail->query ("Update ec_member_detail set Me_noteic=concat (me_noteic, ', ', '". $u. ") Where userid= ". $memberinfo [' userid ']);
ShowMessage (L (' Deny_register '), http_referer);//Prompt to return to the current page
Include template (' member ', ' Me_notice ');
}
Output JSON
The front-end page uses JS to control the use of JSON data, you can use the following methods to output
Public Function xxx () {
$this->content_db=ec_main::get_m (' Content_check_model ');
$datas = $this->content_db->query ("Select ID, catid,title from Ec_techan limit 8");
$note; $i = 0; Initialize variables
while ($infor =mysql_fetch_assoc ($datas))
{
$note ["id"]= $infor [' id '];
$note ["CATID"]= $infor [' catid '];
$note ["title"]= $infor [' title ']; Put the results in a one-dimensional array
$notes [$i ++]= $note;//Put in a two-dimensional array
}
Mysql_free_result ($datas);
echo "var arrs=". Json_encode ($notes). ";";
echo "var xx=". Json_encode ($notes). ";";
}
How to submit data at the foreground
Mainly involves the filtering of security parameters, checking int, whether the string can be inserted into the database
Public Function TJ () {
if (isset ($_post[' Dosubmit ')) {
$chang =array ("+" = "1th", "+" = "2nd", "22" = > "Field No. 3rd");
$Ainfo =$_post[' info '];
$description =safe_replace ($Ainfo [' Beizhu ']);
$qiudui =safe_replace ($Ainfo [' Mingcheng ']);
if ($Ainfo [' username ']!= "") {$username =safe_replace ($Ainfo [' username ']);} else{$username =safe_replace (Param::get_cookie (' admin_username '));}
$userid =intval ($Ainfo [' userid ']);
$catid =intval ($Ainfo [' Changdi ']);
$lianxiren =safe_replace ($Ainfo [' Lianxiren ']);
$day =safe_replace ($Ainfo [' Riqi ']);
$daytime =safe_replace ($Ainfo [' CHANGCI ']);
$dianhua =safe_replace ($Ainfo [' Dianhua ']);
$title = $username. ": Appointment". $day. " < ". $chang [$catid]." , Time: ". $daytime;
$ttime =mktime ();
$datas = $this->db->query ("INSERT into Ec_changdix (catid,typeid,status,title,username,userid,description, Inputtime,updatetime) VALUES ($catid, 0,99, ' $title ', ' $username ', $userid, ' $description ', ' $ttime ', ' $ttime ') ');
$insertid = Mysql_fetch_assoc ($this->db->query ("SELECT @ @IDENTITY"));
$nid = $insertid ["@ @IDENTITY"];
$this->db->query ("Update ec_changdix set url= '/?catid= $catid &id= $nid ' where id= '. $insertid [" @ @IDENTITY "]) ;
$this->db->query ("INSERT into Ec_changdix_data (Id,dianhua,lianxiren,day,daytime,qiudui) VALUES ($nid, ' $ Dianhua ', ' $lianxiren ', ' $day ', ' $daytime ', ' $qiudui ');
ShowMessage (L (' success '), http_referer);
}
PHPCMS Two-time development data filtering tips