The 3.0 version of an array of query conditions will be securely filtered (since 3.0 enforces the use of field type detection, so the query conditions for arrays are cast to the set type of the field), but the security filtering of string conditions is not supported. The 3.1 version adds preprocessing support for conditional strings, making ORM more secure. First, use the Where method The Where method of the model class supports string conditional preprocessing, using the method:
$Model->where ("id=%d and Username= '%s ' and xx= '%f '", $id, $username, $xx)->select ();
If the ID variable comes from a user commit or a URL address, if the passed-in type is non-numeric, it is forced to be formatted as a number format for the query operation. String preprocessing format types support specifying numbers, strings, and so on, and can refer to the parameter descriptions of the vsprintf method. Ii. using Query and Execute methods In addition to the Where condition, the native SQL query method also supports preprocessing mechanisms, such as:
$Model->query ("select * from Think_user WHERE id=%d and username= '%s ' and xx= '%f '", Array ($id, $username, $xx));
The Execute method of the model also supports preprocessing mechanisms like the Query method.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.