Route::get('admin/user/delete/(:any)', array('as' => 'username', 'uses' => '[email protected]_delete_process'));
public function action_user_delete_process($username)
{
$result = User::find($username)->delete();
}
我需要擔心注射嗎?
一般來說,ORM處理所有的轉義。除非你傳遞原始的SQL查詢,否則你應該沒有逃避你的輸入。爲了證實,我通過Laravel代碼挖,和整個方法,它的確利用PDO::prepare傳來:
/** laravel/database/connection.php, lines 219-278 */
protected function execute($sql, $bindings = array())
{
/* ... */
try
{
$statement = $this->pdo->prepare($sql);
$start = microtime(true);
$result = $statement->execute($bindings);
}
// If an exception occurs, we'll pass it into our custom exception
// and set the message to include the SQL and query bindings so
// debugging is much easier on the developer.
catch (\Exception $exception)
{
$exception = new Exception($sql, $bindings, $exception);
throw $exception;
}
/* ... */
}
我從來沒有使用原始查詢。在最壞的情況下,我將它用於?的並將值綁定到?的。非常感謝您的回覆。 – Aristona 2013-04-08 00:07:00