新手请问模糊查询怎样防止sql注入

WBOY
Release: 2016-06-13 12:51:31
Original
1291 people have browsed it

新手请教模糊查询怎样防止sql注入
//创建表模型
$news_table=new news();
//创建相应的适配器
$db=$news_table->getAdapter();
//准备好sql语句
$sql=$db->quoteInto("select title,pubDate from news where title like '%$keyword_arr[0]%'");
//获取结果集
$res=$db->query($sql)->fetchAll();
我需要模糊查询,有意要带%号,而且里面还有变量名$号,数组的下标运算符[]号,但又要防止别人用%之类的这些东西来Sql注入,这句话该怎么写啊??


------解决方案--------------------
加一个 mysql_real_escape_string();
不过mysql_real_escape_string不转义 % 和 _ 所以可以先 str_replace(),去掉不想要的符号。
Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template