我正在编写一个API类来查询数据。我在类中有一个函数,它使用myTextField.inputAccessoryView = UIToolbar()
语句来查询特定的硬编码表名(即eventLog)的数据。
下面列出了查询,其中SELECT引用了传递给函数的参数:
:value我正在尝试使用PDO语句来阻止SQL注入。我已经阅读了几个有关如何正确编写PDO语句的有用文档,包括bindValue / bindParam。
以下是完整的类文件:
// query
$sql = "SELECT :selectType
FROM `log` :clause
ORDER BY `:orderByColumn` :orderByClause
LIMIT :limitStart, :limitStep";
在Chrome控制台中返回网络响应:
<?php
// set requirements
require_once 'Database.php';
/* EventLogsAPI class
* This class is used to query data from the eventLog table, and handle other data processing
*/
class EventLogsAPI {
// set class member variables
private $connection; // database connection
private $records; // records from query
/* Constructor function
*/
public function __construct() {
// create DB object
$this->connection = new DBConnection();
}
/* Collect records function
* Get the records from this prep statement, and store them in $this->records
*
* @param object - database object
*/
public function collectRecords($prep) {
// clear records from previous query
$this->records = array();
// execute query
$prep->execute();
// for each record
while (false !== ($row = $prep->fetch(PDO::FETCH_ASSOC))) {
$this->records[] = $row;
}
}
/* getEventLogData function
* Get event log data with a optional (where) clause
*
* @param string - select state (*, distinct, etc...)
* @param string - conditional SQL clause (e.g. where ID = 2)
* @param string - order by column (e.g. user, ID, date, etc...)
* @param string - order by clause (e.g. asc, desc)
* @param integer - starting limit param (i.e. 0)
* @param integer - limit step param (i.e. 25)
* @param boolean - used to debug SQL
* @return JSON - json containing array of records
*/
public function getEventLogData($selectType, $clause, $orderByColumn, $orderByClause, $limitStart, $limitStep) {
// query
$sql = "SELECT :selectType
FROM `log` :clause
ORDER BY `:orderByColumn` :orderByClause
LIMIT :limitStart, :limitStep";
// prep the query
$prep = $this->connection->DB('log')->prepare($sql);
// for each function argument
foreach ($bind = func_get_args() as $key => $value) {
// prevent null values
if ($value == NULL) {
// set to empty strings
$bind[$key] = "";
}
// bind value
$prep->bindValue(":$bind[$key]", $bind[$key]);
// debug
echo ($key . " - " . $value . "\n");
}
// collect the records
$this->collectRecords($prep);
// return records
return json_encode($this->records);
}
}
?>
因此,基于此执行,绑定的SQL查询应该:
0 - *
1 -
2 - date
3 - DESC
4 - 0
5 - 20
<br />
<b>Warning</b>: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in <b>EventLogsAPI.class.php</b> on line <b>32</b><br />
[]
但是,我收到错误:// query
$sql = "SELECT *
FROM `log`
ORDER BY `date` DESC
LIMIT 0, 20";
。
我检查过以下内容:
我知道还有其他几个问题,但我还没有找到解决这个问题的方法。任何有关调试的帮助都非常感谢。谢谢你的阅读。
答案 0 :(得分:1)
占位符只能代表 VALUES 。您不能将它们用于SQL关键字/标识符。
FROM `eventLog` :clause
^--keyword/identifier
ORDER BY `:orderByColumn` :orderByClause
^--------------^--- also wrong
您还可以不引用占位符。一旦它们被引用,它们就不再是占位符了,它们就是文字字符串。
如果你想以动态方式插入那种东西,你必须自己构建查询字符串:
$order_by = 'ASC':
$sql = "SELECT ... ORDER BY $order_by";
是的,这让你对潜在的sql injection attacks开放。占位符非常适合数据,但对于许多其他类型的查询它们完全没用。