How to mysql escape in magento?

后端 未结 2 1651
借酒劲吻你
借酒劲吻你 2021-02-07 12:49

I want to escape string in magento, but when I am using mysql_real_escape_string, i am getting warning.

Warning: mysql_real_escape_string()

相关标签:
2条回答
  • 2021-02-07 13:00

    Use this to escape a string for a query and add the surrounding single quotes:

    Mage::getSingleton('core/resource')->getConnection('default_write')->quote($string);
    

    You can look up Varien_Db_Adapter_Pdo_Mysql for further quoting details if needed.

    0 讨论(0)
  • 2021-02-07 13:08

    I think Magento uses a DB Access layer based on PDO, which handles escaping automatically provided you use bound parameters. Example from Using Magento Methods to write Insert Queries with care for SQL Injection

    $write = Mage::getSingleton("core/resource")->getConnection("core_write");
    
    // Concatenated with . for readability
    $query = "insert into mage_example "
           . "(name, email, company, description, status, date) values "
           . "(:name, :email, :company, :desc, 0, NOW())";
    
    $binds = array(
        'name'    => "name' or 1=1",
        'email'   => "email",
        'company' => "company",
        'desc'    => "desc",
    );
    $write->query($query, $binds);
    
    0 讨论(0)
提交回复
热议问题