问题
I have a table of users, and I want to be able to filter the table by the email column, so I can see all the users with 'gmail.com' accounts, for example.
My current fpdo query looks like this:
$filter_email = trim($_GET['email']);
$fpdo->from('users')
->where('users.email LIKE "%' . $filter_email . '%"')
->fetchAll();
When I set $filter_email to a@b, everything works fine, and FluentPDO generates this SQL statement:
SELECT users.* FROM users
WHERE users.email LIKE "%a@b%"
But if I search for a@b.c FluentPDO tries to find the table b and errors
SELECT users.* FROM users
LEFT JOIN b ON b.id = users.b_id
WHERE users.email LIKE "%a@b.c%"
I don't know how FluentPDO sees b.c as a table to join on, or how to stop it.
SOLUTION
Thanks mostly to deceze and also to aynber, here's the working solution:
$filter_email = '%'.trim($_GET['email']).'%';
$fpdo->from('users')
->where('users.email LIKE ?',$filter_email)
->fetchAll();
My actual query checks three different email fields, but using three ? and appending $filter_email three times works just fine:
->where(
'(users.email1 LIKE ? OR users.email2 LIKE ? OR users.email1 LIKE ?)',
$filter_email,
$filter_email,
$filter_email
)
回答1:
Its (apparently not so) "smart join builder" probably sees the . and thinks it relates to another table. You might want to file a bug with the author.
However, you're vulnerable to SQL injection concatenating the input directly into the query like that. Solving that will probably also solve your join issue. Quickly looking over the documentation, the parameter binding syntax looks like it should be this:
$fpdo->from('users')
->where('users.email LIKE ?', '%' . trim($_GET['email']) . '%')
->fetchAll();
来源:https://stackoverflow.com/questions/35508298/how-to-stop-fluentpdo-incorrectly-inferring-a-table-name