如何在 Joomla 3 的查询中使用准备语句/绑定值?

我想知道如何在 where 子句中绑定值.我知道出于安全原因必须这样做.

I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
    ->select("*")
    ->from($db->quoteName("food"))
    ->where("taste = :taste")
    ->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();

我收到此错误:

您的 SQL 语法有错误;检查手册对应于您的 MySQL 服务器版本以使用正确的语法靠近第 3 行的 ':taste' SQL=SELECT * FROM food WHEREtaste = :taste

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':taste' at line 3 SQL=SELECT * FROM food WHERE taste = :taste

我的代码基于这篇文章.它说在 Joomla 3.1 中只有PDO/Sqlite 和 PDO/Oracle 支持准备好的语句",我使用的是 Joomla 3.2.1 和 MySQL,在我的 Joomla 配置 MySQLi.可能是这个问题吗?

My code is based on this post. It said that in Joomla 3.1 only "PDO/Sqlite and PDO/Oracle are supporting prepared statements", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?

我很困惑,因为我不知道必须遵循什么 API/Class.

I am quite confused because I dont know what API / Class have to follow.

  • JDatabase for Joomla 3.x 有没有绑定方法,而且资料很少,好像没有完成.
  • JDatabase for Joomla 2.5 有更多信息,但显然是不是我的版本.没有绑定方法.
  • JDatabaseQuery for Joomla 3.x 没有绑定方法
  • JDatabaseQuerySqlite for Joomla 3.x 有 绑定方法
  • JDatabaseQueryPdo for Joomla 3.x 没有绑定方法
  • Joomla 3.x 的 JTable 有 绑定方法
  • JDatabase for Joomla 3.x there is no bind method, and the information is scant, seems like is not completed.
  • JDatabase for Joomla 2.5 has more information, but obviously is not my version. there is no bind method.
  • JDatabaseQuery for Joomla 3.x there is no bind method
  • JDatabaseQuerySqlite for Joomla 3.x has bind method
  • JDatabaseQueryPdo for Joomla 3.x there is no bind method
  • JTable for Joomla 3.x has bind method

我什至开始怀疑是否必须使用 JFactory::getDbo() 在 Joomla DB 中选择/插入/更新/删除数据.

Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.

提前致谢.

推荐答案

据我所知,您不能使用准备好的语句,也不能使用 Joomla 绑定值.

As far as I know, you can't use prepared statements nor bind values with Joomla.

如果您从 Joomla 文档 (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries),他们不讨论准备好的语句,只讨论使用强制转换或引用来避免 SQL 注入.

If you read the Secure Coding Guideliness from the Joomla documentation (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.

相关文章