1. 首頁
  2. 問答
  3. 代碼點火器查詢綁定

代碼點火器查詢綁定

2011-12-07 89 views
1

我有以下查詢來從表中選擇基於rownumber的行。代碼點火器查詢綁定

$targeted_rows = implode(",",$wanted); 


$sql = "SELECT * FROM (
    SELECT @row:[email protected]+1 as rownum, productsa.* FROM (
    SELECT @row:=0 
      )r,productsa 
      )ranked 
      WHERE rownum IN (?) "; 
$q = $this->db->query($sql, $targeted_rows); 

if($q->num_rows() > 0) { 
    foreach ($q->result() as $row) { 
    $data[] = $row; 
} 
return $data; 
};

目前我的查詢是這樣執行的。用數字引號,它不起作用。

SELECT * FROM (
       SELECT @row:[email protected]+1 as rownum, productsa.* FROM (
        SELECT @row:=0 
       )r,productsa 
      )ranked 
      WHERE rownum IN ('1,4,7,10,13,16,19,22,25,28,31,34,37,40,43,46,49,52,55,58,61,64,67,70,73,76,79,82,85,88,91,94,97,100,103,106,109,112,115,118,121,124,127,130,133,136,139,142,145,148,151,154,157,160,163,166,169,172')

但是,當我手動執行沒有引號的查詢它工作正常。如果在查詢中沒有顯示引號的情況下執行綁定,我將完全喪失信心。

編輯:我試圖消除破滅,並使用下面的代碼,但我得到了同樣的問題

foreach ($wanted as $value){ 
    $targeted_rows .= $value . ","; 
}  
$this->db->escape($targeted_rows);

來源

2011-12-07 JCrev

回答

0

也許只是使之與安全$這 - > DB->逸出的Sudhir前面所提到的,然後簡單地注入躲過值到SQL(不包括查詢綁定)?

$escaped_wanted = array(); 
foreach ($wanted as $id) { 
    $escaped_wanted[] = $this->db->escape($id); 
} 
$targeted_rows = implode(",", $escaped_wanted); 
$sql = "SELECT * FROM (
    SELECT @row:[email protected]+1 as rownum, productsa.* FROM (
    SELECT @row:=0 
      )r,productsa 
      )ranked 
      WHERE rownum IN ({$targeted_rows})"; 
$q = $this->db->query($sql);

來源

2011-12-07 18:42:05 Riyono

+0

謝謝那完美的作品。 – JCrev

0

,將工作的唯一辦法是,而不是使用破滅,使用foreach循環contatenate的ID,然後使用:

 
$this->db->escape(); //to make it safer

來源

2011-12-07 17:51:42

+0

我不知道我錯過了什麼,但是當我嘗試它作爲 

 foreach ($wanted as $value){ \t \t $targeted_rows .= $value . ","; \t } \t \t \t $this->db->escape($targeted_rows);
我得到引號查詢輸出相同的(我不知道如何在註釋中格式化代碼。) – JCrev

相關問題

 相關問題