使用like和%

eblbsuwk  于 2021-06-19  发布在  Mysql
关注(0)|答案(1)|浏览(308)

我有一个很大的sql查询,我正试图阻止注入。因为查询在变量上使用like和“%”,所以我不知道如何格式化它,也不知道我的常用方法

$sql = "INSERT into UsedBook ( userId, bookId, price, description ) VALUES 
(?,?,?,?)";

if($stmt = mysqli_prepare($conn, $sql)){
    mysqli_stmt_bind_param($stmt, "iiis", $userId, $bookId, $price, 
$description);
mysqli_stmt_execute($stmt);
}

不符合格式。
这是我的大问题。在靠近底部的地方查找带有变量的like语句。

$sql = "SELECT DISTINCT Offering.offeringId, UsedBook.saleId, 
UsedBook.bookId, UsedBook.price,
UsedBook.timeStamp, Book.bookName, Classes.classNumber, Instructor.name,
Classes.departmentName, Offering.section, Users.email, UsedBook.description
FROM UsedBook, Book, Classes, Offering, Instructor, RequiredBook, Users
WHERE UsedBook.bookId = Book.bookId
and Classes.classId = RequiredBook.classId and Book.bookId = 
RequiredBook.bookId
and Classes.classId = Offering.classId and Offering.instructorId = 
Instructor.instructorId
and Offering.semesterId = $semester and UsedBook.userId = Users.userId and 
UsedBook.userId != $userId
and Classes.departmentName like '$departmentName%' and Classes.classNumber 
like '$classNumber%'
and Book.bookName like '$bookName%' and Offering.section like '$section%'";
3pvhb19x

3pvhb19x1#

你仍然可以使用预先准备好的语句,你只需要合并 % 进入绑定参数,例如。

$sql = "SELECT * FROM UsedBook WHERE bookName LIKE ?";
$param = "$bookName%";
if($stmt = mysqli_prepare($conn, $sql)){
    mysqli_stmt_bind_param($stmt, "s", $param);
    mysqli_stmt_execute($stmt);
}

相关问题