如何将 DB::insert 用作准备好的语句 LARAVEL
How to use DB::insert as a prepared statement LARAVEL
我试图使我的插入查询免受 sql 注入。但是我在让它工作时遇到了问题。有任何想法吗?
我已经尝试了几种方法。
$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
foreach ($bullets as $bullet){
$query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES('?','?','?','?','?','?')', [$product_id,$user_id,$bullet,'N',$date,$date]";
DB::insert($query);
}
return back()->with('message','Features add successfully!');
当我尝试此操作时,出现以下错误:
SQLSTATE[07002]: [Microsoft][ODBC Driver 11 for SQL Server]COUNT field incorrect or syntax error (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('?','?','?','?','?','?')', [1,1,can't,'N',2017-11-10 16:28:44,2017-11-10 16:28:44])
我也试过:
$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
foreach ($bullets as $bullet){
$query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES('?','?','?','?','?','?')' ";
$values = [$product_id,$user_id,$bullet,'N',$date,$date];
DB::insert($query,$values);
}
return back()->with('message','Features add successfully!');
并出现以下错误:
SQLSTATE[42000]: [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('. (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('1','1','can't','N','2017-11-10 16:33:43','2017-11-10 16:33:43')' )
你不需要引用问号。此外,您可以在循环之前初始化 $query 并将其用作 foreach:
中准备好的查询
$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
$query = "INSERT INTO bullets (product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES (?, ?, ?, ?, ?, ?)";
foreach ($bullets as $bullet) {
$values = [$product_id,$user_id,$bullet,'N',$date,$date];
DB::insert($query, $values);
}
return back()->with('message','Features add successfully!');
我试图使我的插入查询免受 sql 注入。但是我在让它工作时遇到了问题。有任何想法吗? 我已经尝试了几种方法。
$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
foreach ($bullets as $bullet){
$query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES('?','?','?','?','?','?')', [$product_id,$user_id,$bullet,'N',$date,$date]";
DB::insert($query);
}
return back()->with('message','Features add successfully!');
当我尝试此操作时,出现以下错误:
SQLSTATE[07002]: [Microsoft][ODBC Driver 11 for SQL Server]COUNT field incorrect or syntax error (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('?','?','?','?','?','?')', [1,1,can't,'N',2017-11-10 16:28:44,2017-11-10 16:28:44])
我也试过:
$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
foreach ($bullets as $bullet){
$query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES('?','?','?','?','?','?')' ";
$values = [$product_id,$user_id,$bullet,'N',$date,$date];
DB::insert($query,$values);
}
return back()->with('message','Features add successfully!');
并出现以下错误:
SQLSTATE[42000]: [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('. (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('1','1','can't','N','2017-11-10 16:33:43','2017-11-10 16:33:43')' )
你不需要引用问号。此外,您可以在循环之前初始化 $query 并将其用作 foreach:
中准备好的查询$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
$query = "INSERT INTO bullets (product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES (?, ?, ?, ?, ?, ?)";
foreach ($bullets as $bullet) {
$values = [$product_id,$user_id,$bullet,'N',$date,$date];
DB::insert($query, $values);
}
return back()->with('message','Features add successfully!');