代码之家 › 专栏 › 技术社区 › Yahya Uddin

使用原始sql时的laravel sql参数绑定

laravel mysql

Yahya Uddin · 技术社区 · 6 年前

我有以下疑问:

$venues = Venue::select(['id', 'name'])
            ->where('name', 'LIKE', "%{$query}%")
            ->orderByRaw("CASE " .
                         "WHEN name like '{$query}%' THEN 0 " . // start with
                         "WHEN name like '% {$query}%' THEN 1 " . // start of a later word
                         "ELSE 3 " .
                         "END"
            )
            ->limit(5)
            ->get();

问题是上述查询易受SQL注入攻击。我该怎么解决?

参数绑定解释如下:

https://laravel.com/docs/5.6/queries#raw-expressions

但如果我这样做:

$venues = Venue::select(['id', 'name'])
            ->where('name', 'LIKE', "%{$query}%")
            ->orderByRaw("CASE " .
                         "WHEN name like '?%' THEN 0 " . // start with
                         "WHEN name like '% ?%' THEN 1 " . // start of a later word
                         "ELSE 3 " .
                         "END",
                         [
                             $query,
                             $query,
                         ]
            )
            ->limit(5)
            ->get();

我得到了不同的结果。

1 回复 | 直到 6 年前

Yahya Uddin 6 年前

尝试将百分比添加到查询参数,如下所示:

...
->orderByRaw("CASE " .
    "WHEN name like ? THEN 0 " . // start with
    "WHEN name like ? THEN 1 " . // start of a later word
    "ELSE 3 " .
    "END",
    [
        "{$query}%",
        "% {$query}%",
    ]
)
...

推荐文章