CFQUERY到queryExecute：如果SQL字符串中

什麼是做什麼我<cfquery>即使在queryExecuteCFQUERY到queryExecute：如果SQL字符串中

CFQUERY

<cfquery name="qry"> SELECT * FROM tbl_products WHERE filed1 = 1 <cfif structKeyExists(URL, "test")> AND filed2 = 2 </cfif> ORDER BY id DESC </cfquery>

cfexecute

<cfscript> sql = " SELECT * FROM tbl_products WHERE filed1 = 1 ORDER BY id DESC "; if (structKeyExists(URL, "test")){ sql = " SELECT * FROM tbl_products WHERE filed1 = 1 AND filed2 = 2 ORDER BY id DESC "; } qry = queryExecute( sql = sql ); </cfscript>
做的最好的辦法

I希望我已經解釋清楚自己...

來源

2016-07-27 Ivan

您必須建立SQL字符串。也值得傳遞參數值，以免受到SQL注入的影響。例如：

<cfscript> 
params = {}; 

sql = " 
    SELECT * FROM tbl_products 
    WHERE filed1 = :filed1 
"; 
params["filed1"] = 1; 

if (structKeyExists(URL, "test")){ 
    sql &= "AND filed2 = :filed2 "; 
    params["filed2"] = 2; 
} 

sql &= "ORDER BY id DESC"; 

queryExecute(sql, params); 
</cfscript>

或者，您可以使用位置參數。

<cfscript> 
params = []; 

sql = " 
    SELECT * FROM tbl_products 
    WHERE filed1 = ? 
"; 
arrayAppend(params, 1); 

if (structKeyExists(URL, "test")){ 
    sql &= "AND filed2 = ? "; 
    arrayAppend(params, 2); 
} 

sql &= "ORDER BY id DESC"; 

queryExecute(sql, params); 
</cfscript>

這是標籤比腳本更好的時代之一。

來源

2016-07-27 17:16:24

謝謝。我認爲我是這樣做的。我希望以某種其他「更清潔」的方式解決某些「詭計」：D – Ivan

CFQUERY到queryExecute：如果SQL字符串中

回答

相關問題