这段代码可以防止SQL注入吗?
$where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
$this->db->where($where);
$result = $this->db->get('fruits');
正如它所说,基于Codeigniter Docs。
$this->db->where(( 接受可选的第三个参数。如果您设置了它 如果为 FALSE,CodeIgniter 将不会尝试保护您的字段或表 名字。
$this->db->where('MATCH (field) AGAINST ("value")', NULL, FALSE);
将前面的语句更改为此是否正确?
$where = "(color = '$color' AND flavor = '$flavor') OR (quality = '$quality' AND price = '$price')";
$this->db->where($where, NULL, TRUE);
$result = $this->db->get('fruits');
我有点迷茫,还是应该使用它。
$array = array('color' => $color,
'flavor' => $flavor,
'quality' => $quality,
'price' => $price);
$where = "(color = ? AND flavor = ?) OR (quality = ? AND price = ?)";
$this->db->where($where, $array, TRUE);
$result = $this->db->get('fruits');
您必须使用最后一个。无法检测其他查询中要"保护"的内容。