dongyuan3094 2016-04-13 15:09
浏览 82

在PHP和Postgres中使用pg_query_params传递DESC或ASC

$query = "SELECT field1, field2, field3, date_created, id FROM database WHERE field1 LIKE $1 OR field2 LIKE $1 ORDER BY date_created $2 LIMIT $3 OFFSET $4";
$result = pg_query_params($this->pgConnect($this->database_conn_string),     $query, array('%' . $this->input . '%', $this->order, $this->numberOfItems, $this->selectField1FromDatabaseSearchOffset()));
return $result;

I'm not getting any sort of useful error, just that the error is with $2, which will be either set to DESC or ASC., the error goes away if I stop trying to pass in this so it's clearly a problem passing in the order in this way however I have no idea why and how I would do it in a secure manner. The value comes in from a url parameter, put through 'htmlspecialchars' then passed to this.

Update- should mention it does work if I put it directly in $query i.e. like:

$query = "SELECT field1, field2, field3, date_created, id FROM database WHERE field1 LIKE $1 OR field2 LIKE $1 ORDER BY date_created $this->order LIMIT $2 OFFSET $3";

Though I don't think this is a secure way to do it, plus not very consistent!

  • 写回答

0条回答 默认 最新

    报告相同问题?

    悬赏问题

    • ¥20 求一个html代码,有偿
    • ¥100 关于使用MATLAB中copularnd函数的问题
    • ¥20 在虚拟机的pycharm上
    • ¥15 jupyterthemes 设置完毕后没有效果
    • ¥15 matlab图像高斯低通滤波
    • ¥15 针对曲面部件的制孔路径规划,大家有什么思路吗
    • ¥15 钢筋实图交点识别,机器视觉代码
    • ¥15 如何在Linux系统中,但是在window系统上idea里面可以正常运行?(相关搜索:jar包)
    • ¥50 400g qsfp 光模块iphy方案
    • ¥15 两块ADC0804用proteus仿真时,出现异常