duanchao1002
2017-11-10 16:35
浏览 115
已采纳

如何使用DB :: insert作为预处理语句LARAVEL

I am trying to make my insert query protected against sql injection. But I am having issues getting this to work. any ideas? I have tried several things.

 $bullets = Input::get('bullet_content');
        $product_id = Input::get('product_id');
        $user_id = Input::get('user_id');
        $retailer_id = Input::get('retailer_id');
        $date = date("Y-m-d H:i:s");
        foreach ($bullets as $bullet){


            $query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) 
                        VALUES('?','?','?','?','?','?')', [$product_id,$user_id,$bullet,'N',$date,$date]";


                        DB::insert($query);
        }
        return back()->with('message','Features add successfully!');

When I try this I get the following errror:

SQLSTATE[07002]: [Microsoft][ODBC Driver 11 for SQL Server]COUNT field incorrect or syntax error (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('?','?','?','?','?','?')', [1,1,can't,'N',2017-11-10 16:28:44,2017-11-10 16:28:44])

I have also tried:

 $bullets = Input::get('bullet_content');
        $product_id = Input::get('product_id');
        $user_id = Input::get('user_id');
        $retailer_id = Input::get('retailer_id');
        $date = date("Y-m-d H:i:s");
        foreach ($bullets as $bullet){


            $query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) 
                        VALUES('?','?','?','?','?','?')' ";
            $values = [$product_id,$user_id,$bullet,'N',$date,$date];

                        DB::insert($query,$values);
        }
        return back()->with('message','Features add successfully!');

and got the following error:

SQLSTATE[42000]: [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('. (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('1','1','can't','N','2017-11-10 16:33:43','2017-11-10 16:33:43')' )
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongxian3418 2017-11-10 16:40
    已采纳

    You don't need to quote question marks. Furthermore you can initialize $query before loop and use it as your prepared query inside the foreach:

    $bullets = Input::get('bullet_content');
    $product_id = Input::get('product_id');
    $user_id = Input::get('user_id');
    $retailer_id = Input::get('retailer_id');
    $date = date("Y-m-d H:i:s");
    $query = "INSERT INTO bullets (product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) 
                           VALUES (?, ?, ?, ?, ?, ?)";
    foreach ($bullets as $bullet) {
        $values = [$product_id,$user_id,$bullet,'N',$date,$date];
        DB::insert($query, $values);
    }
    return back()->with('message','Features add successfully!');
    
    点赞 打赏 评论

相关推荐 更多相似问题