if(!empty($request->search_key)){
$search = $request->search_key;
$search_keys = explode(' ', $search);
$count = 1;
if(count($search_keys) > 0){
foreach($search_keys as $keys){
if(trim($keys) != ''){
$relevance .= " (MATCH(column_name) AGAINST ( ". "'" . $keys . "'" . ")* " . $count*10 . ") +";
}
$count++;
}
}
else{
$relevance .= " (MATCH(column_name) AGAINST ( ". "'" . $search . "'" . ")* " . $count*10 . ")";
}
$relevance = rtrim($relevance, '+');
$relevance = $relevance . ' AS relevance';
DB::table('tbl')->select(DB::raw($relevance))->get();
}
在此代码中,我们如何防止sql注入,如果仅是一条语句,那么我认为我可以使用,
DB::raw("SELECT * FROM users WHERE name = ?", [$name]));
但是在这种情况下,我需要循环准备。那该如何解决呢?
谢谢。
$search_keys = explode(' ', $search);
$terms = [];
$params = [];
$count = 1;
foreach ($search_keys as $key) {
$terms[] = "(MATCH(column_name) AGAINST(?) * ?)";
$params[] = $key;
$params[] = $count * 10;
$count++;
}
$relevance = implode($terms, " + ") . " AS relevance";
现在您有一个执行时要使用的查询参数数组:
DB::table('tbl')->selectRaw($relevance, $params)->get();