yii2中SQL语句安全写法(防止注入漏洞)
2021-02-14 14:45:13
$sql="SELECT * FROM bfams_statuslogs where BILLID =:BILLID order by createTime desc";
$DataRowsBill=\Yii::$app->db->createCommand($sql, [':BILLID' => $billid])->queryAll();
$DataRows = BfamsBilltable::find()->select('ID,BILLNO,BILLDATE,USERID')->where(['USERID'=>$userid])->andwhere(['and',['like','BILLNO' , $q.'%',false],['SCHOOLNO'=>$schoolid]])->limit(20)->asArray()->all();
$books= $db->from('book1')->where("book_title like :keywords")->addParams([':keywords'=>'%'.$_GET['keywords'].'%'])->orderBy('addtime DESC')->all();
不是使用框架就可以避免sql注入,关键是要使用参数化查询,避免拼接sql语句!
$DataRowsBill=\Yii::$app->db->createCommand($sql, [':BILLID' => $billid])->queryAll();
$DataRows = BfamsBilltable::find()->select('ID,BILLNO,BILLDATE,USERID')->where(['USERID'=>$userid])->andwhere(['and',['like','BILLNO' , $q.'%',false],['SCHOOLNO'=>$schoolid]])->limit(20)->asArray()->all();
$books= $db->from('book1')->where("book_title like :keywords")->addParams([':keywords'=>'%'.$_GET['keywords'].'%'])->orderBy('addtime DESC')->all();
不是使用框架就可以避免sql注入,关键是要使用参数化查询,避免拼接sql语句!