Google Bigquery - 运行 参数化查询 - php
Google Bigquery - Running parameterized queries - php
来自 Google Bigquery 文档:
Running parameterized queries
BigQuery supports query parameters to help prevent SQL injection when
queries are constructed using user input. This feature is only
available with standard SQL syntax.
To specify a named parameter, use the @ character followed by an
identifier, such as @param_name.
和 Google Bigquery 有 python 和 Java 的示例代码以使用参数化查询。
https://cloud.google.com/bigquery/querying-data#bigquery-query-params-python
Google Bigquery 在此处没有 php 参数化查询的 运行 示例代码。
我试过在 php 中使用 @ 就像在 python 和 java 代码中一样,它不起作用。
有什么建议吗?
谢谢!
我应 Elliott 和 Mosha 的要求添加了代码
代码:
$query = "SELECT * FROM [myproject.mydateset.users] where user_id = '$userId' LIMIT 1000";
$queryResults = $this->bigQuery->runQuery($query);
这个查询没问题。但这并不能阻止 sql 注入。
我尝试将查询更改为
$query = "SELECT * FROM [myproject.mydateset.users] where user_id = '@$userId' LIMIT 1000";
或
$query = "SELECT * FROM [myproject.mydateset.users] where user_id = @$userId LIMIT 1000";
防止sql注入。
两个查询都不起作用。
我没有设置项目来尝试这个,所以如果有语法错误或其他疏忽,我深表歉意,但请看看这是否有效。我根据您的查询 PHP API in Github. You will need to make sure to use standard SQL 而不是遗留 SQL.
$bigQuery = new BigQueryClient([
'projectId' => $projectId,
]);
$query = "SELECT COUNT(DISTINCT word) AS distinct_words
FROM `bigquery-public-data.samples.shakespeare`
WHERE corpus = @corpus_name;";
$queryResults = $bigQuery->runQuery(
$query,
['useLegacySql' => false],
['queryParameter' => new QueryParameter([
'name' => 'corpus_name',
'parameterType' => new QueryParameterType([
'type' => 'STRING',
]),
'parameterValue' => new QueryParameterValue([
'value' => 'kingrichardii',
]),
],
);
我尝试了这个并且成功了..[google-BigQuery]
$cloud = new ServiceBuilder([
'keyFilePath' => 'project-auth-file.json'
]);
$bigQuery = $cloud->bigQuery();
$query = 'select id
from `api-project-id.dbname.tablename`
where userId = @user_id;';
$_userId = 202;
$queryJobConfig = $bigQuery->query($query)
->parameters([
'user_id' => (int)$_userId
]);
$queryResults = $bigQuery->runQuery($queryJobConfig);
foreach ($queryResults as $row) {
echo "<br>". $row['id'];
}
{google-BigQuery}
来自 Google Bigquery 文档:
Running parameterized queries
BigQuery supports query parameters to help prevent SQL injection when queries are constructed using user input. This feature is only available with standard SQL syntax.
To specify a named parameter, use the @ character followed by an identifier, such as @param_name.
和 Google Bigquery 有 python 和 Java 的示例代码以使用参数化查询。
https://cloud.google.com/bigquery/querying-data#bigquery-query-params-python
Google Bigquery 在此处没有 php 参数化查询的 运行 示例代码。
我试过在 php 中使用 @ 就像在 python 和 java 代码中一样,它不起作用。
有什么建议吗?
谢谢!
我应 Elliott 和 Mosha 的要求添加了代码
代码:
$query = "SELECT * FROM [myproject.mydateset.users] where user_id = '$userId' LIMIT 1000";
$queryResults = $this->bigQuery->runQuery($query);
这个查询没问题。但这并不能阻止 sql 注入。
我尝试将查询更改为
$query = "SELECT * FROM [myproject.mydateset.users] where user_id = '@$userId' LIMIT 1000";
或
$query = "SELECT * FROM [myproject.mydateset.users] where user_id = @$userId LIMIT 1000";
防止sql注入。 两个查询都不起作用。
我没有设置项目来尝试这个,所以如果有语法错误或其他疏忽,我深表歉意,但请看看这是否有效。我根据您的查询 PHP API in Github. You will need to make sure to use standard SQL 而不是遗留 SQL.
$bigQuery = new BigQueryClient([
'projectId' => $projectId,
]);
$query = "SELECT COUNT(DISTINCT word) AS distinct_words
FROM `bigquery-public-data.samples.shakespeare`
WHERE corpus = @corpus_name;";
$queryResults = $bigQuery->runQuery(
$query,
['useLegacySql' => false],
['queryParameter' => new QueryParameter([
'name' => 'corpus_name',
'parameterType' => new QueryParameterType([
'type' => 'STRING',
]),
'parameterValue' => new QueryParameterValue([
'value' => 'kingrichardii',
]),
],
);
我尝试了这个并且成功了..[google-BigQuery]
$cloud = new ServiceBuilder([
'keyFilePath' => 'project-auth-file.json'
]);
$bigQuery = $cloud->bigQuery();
$query = 'select id
from `api-project-id.dbname.tablename`
where userId = @user_id;';
$_userId = 202;
$queryJobConfig = $bigQuery->query($query)
->parameters([
'user_id' => (int)$_userId
]);
$queryResults = $bigQuery->runQuery($queryJobConfig);
foreach ($queryResults as $row) {
echo "<br>". $row['id'];
}
{google-BigQuery}