所以我在 MySQL 中有一个存储过程
delimiter //
DROP PROCEDURE IF EXISTS mysearch;
CREATE PROCEDURE mysearch (IN term varchar(255), IN brands varchar(512), IN categories varchar(512), IN priceRange varchar(32))
BEGIN
SET @query = 'SELECT name, price, image FROM (... join some tables here ... ) WHERE (... prod.category = some number ...)';
IF (term IS NOT NULL) THEN
SET term = CONCAT('\'%',term,'%\'');
SET @query = CONCAT(@query, ' AND (prod.name LIKE ', QUOTE(term), ' OR prod.number LIKE ', QUOTE(term), ')');
END IF;
PREPARE stmt1 FROM @query;
EXECUTE stmt1;
END //
delimiter ;
如何使用 LIKE 并仍然转义用户输入?
我想清理用户输入,但仍然允许使用 LIKE 进行搜索。
最佳答案
也许是这样的
DROP PROCEDURE IF EXISTS mysearch;
CREATE PROCEDURE mysearch (IN term varchar(255), IN brands varchar(512), IN categories varchar(512), IN priceRange varchar(32))
BEGIN
DECLARE fullterm varchar(255);
SET fullterm = CONCAT('%',term,'%');
SELECT name, price, image FROM (... join some tables here ... ) WHERE (... prod.category = some number ...)
AND (term IS NULL OR (prod.name LIKE fullterm OR prod.number LIKE fullterm));
END
关于mysql - 在存储过程中使用 LIKE 并同时转义注入(inject),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20645851/