我正在运行以下查询:
INSERT INTO deal (`site_id`, `status`, `slug`, `title`, `description`, `condition`, `sale_price`, `shipping`, `deal_url`, `buy_url`, `start`, `added`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW()) ON DUPLICATE KEY UPDATE `site_id` = ?,`status` = ?,`slug` = ?,`title` = ?,`description` = ?,`condition` = ?,`sale_price` = ?,`shipping` = ?,`deal_url` = ?,`buy_url` = ?,`start` = ?
通过此代码构建:
$this->db->query('INSERT INTO
deal
(`'.implode('`, `', array_keys($insert)).'`, `added`)
VALUES
('.implode(', ', array_fill(0, count($insertValues), '?')).', NOW())
ON DUPLICATE KEY UPDATE
'.implode(',', array_keys($update)), array_merge($insertValues, array_values($update)));
这个问题是我的查询没有正确转义......
INSERT INTO deal (`site_id`, `status`, `slug`, `title`, `description`, `condition`, `sale_price`, `shipping`, `deal_url`, `buy_url`, `start`, `added`) VALUES ('2', 1, http://www.woot.com/sale/sony-dash-personal-internet-viewer-7, 'Sony Dash Personal Internet Viewer', 'Finally, someone made me my own, personal internet!', 'New', '69.99', $5 shipping, http://www.woot.com/sale/sony-dash-personal-internet-viewer-7, , 1305867600, NOW()) ON DUPLICATE KEY UPDATE `site_id` = '2',`status` = 1,`slug` = http://www.woot.com/sale/sony-dash-personal-internet-viewer-7,`title` = 'Sony Dash Personal Internet Viewer',`description` = 'Finally, someone made me my own, personal internet!',`condition` = 'New',`sale_price` = '69.99',`shipping` = $5 shipping,`deal_url` = http://www.woot.com/sale/sony-dash-personal-internet-viewer-7,`buy_url` = ,`start` = 1305867600
我有 XSS 过滤设置......我错过了什么吗?
奇怪。数据库的定义是什么?我唯一能想到的是数据库层得出的结论是其中一些列不需要转义。