dtdfj08626 2015-05-21 06:34 采纳率: 0%
浏览 157

YII束插入 - 避免SQL注入

I insert big chunks of data to DB (~ 500) in the loop ( there are nearly 20000 or more records in total):

            $builder = Yii::app()->db->schema->commandBuilder;
            $command = $builder->createMultipleInsertCommand('product_supplier',
                  $dataToDb
            );
            $command->execute();

Using AR one can use validate() method to ensure that data are valid and AFAIK model escapes all dangerous data.

I would like to avoid to be SQL-injected.

Should I escape all data on my own when I use multiple insert or Yii takes care about it ?

Is it good idea to use standard PHP function "mysqli_escape_string " ?

I feel unsure how good it is.

Thanks.

  • 写回答

1条回答 默认 最新

  • dpftppc9674 2015-05-21 16:09
    关注

    The CDbCommand::createMultipleInsertCommand() method uses param binding, so it's safe.

    ActiveRecords also use param binding and there's no extra escaping as it is not required.

    评论

报告相同问题?

悬赏问题

  • ¥100 关于使用MATLAB中copularnd函数的问题
  • ¥20 在虚拟机的pycharm上
  • ¥15 jupyterthemes 设置完毕后没有效果
  • ¥15 matlab图像高斯低通滤波
  • ¥15 针对曲面部件的制孔路径规划,大家有什么思路吗
  • ¥15 钢筋实图交点识别,机器视觉代码
  • ¥15 如何在Linux系统中,但是在window系统上idea里面可以正常运行?(相关搜索:jar包)
  • ¥50 400g qsfp 光模块iphy方案
  • ¥15 两块ADC0804用proteus仿真时,出现异常
  • ¥15 关于风控系统,如何去选择