发表新帖
发表新帖

How to mysql escape in magento?

后端 未结
关注
2 1646
借酒劲吻你
借酒劲吻你 2021-02-07 12:49

I want to escape string in magento, but when I am using mysql_real_escape_string, i am getting warning.

Warning: mysql_real_escape_string()

2条回答
  • 一生所求
    一生所求 (楼主)
    2021-02-07 13:08

    I think Magento uses a DB Access layer based on PDO, which handles escaping automatically provided you use bound parameters. Example from Using Magento Methods to write Insert Queries with care for SQL Injection

    $write = Mage::getSingleton("core/resource")->getConnection("core_write");

// Concatenated with . for readability
$query = "insert into mage_example "
       . "(name, email, company, description, status, date) values "
       . "(:name, :email, :company, :desc, 0, NOW())";

$binds = array(
    'name'    => "name' or 1=1",
    'email'   => "email",
    'company' => "company",
    'desc'    => "desc",
);
$write->query($query, $binds);

    0 讨论(0)
 看不清?
提交回复
热议问题