In version 3.0, the query conditions in the array mode are filtered safely (because field type detection is mandatory in version 3.0, the query conditions in the array mode are forcibly converted to the set field type ), however, security filtering of string conditions is not supported. In analyticdb 3.1, preprocessing is added for conditional strings to ensure better ORM security. In version 3.0, the query conditions in the array mode are filtered safely (because field type detection is mandatory in version 3.0, the query conditions in the array mode are forcibly converted to the set field type ), however, security filtering of string conditions is not supported. In analyticdb 3.1, preprocessing is added for conditional strings to ensure better ORM security.
I. use the where method
The where method of the Model class supports string conditional preprocessing. usage:
- $ Model-> where ("id = % d and username = '% s' and
- Xx = '% f' ", array ($ id, $ username, $ xx)-> select ();
Copy the code or use it directly:
- $ Model-> where ("id = % d and username = '% s' and xx =' % f'", $ id, $ username, $ xx) -> select ();
Copy the code. if the $ id variable is submitted by the user or the URL address, if it is not of the numeric type, it is forcibly formatted as a number for query.
String preprocessing formats support specifying numbers and strings. for details, refer to the parameter description of the vsprintf method.
II. use the query and execute methods
In addition to the where condition, native SQL query methods also support preprocessing, such:
- $ Model-> query ("SELECT * FROM think_user WHERE id = % d and username = '% s' and xx =' % f'", array ($ id, $ username, $ xx ));
The execute method for copying code models also supports preprocessing like the query method.
