Laravel eloquent selectRaw 用于 SQL 注射

Question

我有疑问：

$typeCancel = 'cancel'; $typeRefund = 'refund';
$query = Order::select(DB:raw('order.*,'
    "IF (order.type IN (?, ?), (order.amount * -1), order.amount) AS custom_amount"))
->where('provider', 1)
->setBindings([$typeCancel, $typeRefund], 'select')
->get();

并且有效。我该怎么做：

... IF (order.type IN (?) ...
... ->setBindings([$types], 'select')

我试试这个：

$types = "'{$typeCancel}','{$typeRefund}'";
... IF (order.type IN (?) ...
... ->setBindings([$types], 'select')

但是不正确，结果查询是这样的：

... IF (order.type IN ("'cancel','refund'") ...

Answer 1

你可以做到$types = array($typeCancel, $typeRefund); 然后你可以将 $types 传递给你的绑定

Laravel eloquent selectRaw 用于 SQL 注射

Laravel eloquent selectRaw for SQL injection

php

select

sql-injection

laravel-5.2