阻止Laravel全文搜索中的Sql注入

Question

if(!empty($request->search_key)){
                $search = $request->search_key;
                $search_keys = explode(' ', $search);
                $count = 1;
                if(count($search_keys) > 0){
                    foreach($search_keys as $keys){
                        if(trim($keys) != ''){
                            $relevance .= " (MATCH(column_name) AGAINST ( ". "'" . $keys . "'" . ")* " . $count*10 . ") +";
                        }
                        $count++;
                    }
                }
                else{
                    $relevance .= " (MATCH(column_name) AGAINST ( ". "'" . $search . "'" . ")* " . $count*10 . ")";
                }
                $relevance = rtrim($relevance, '+');
                $relevance = $relevance . ' AS relevance';

               DB::table('tbl')->select(DB::raw($relevance))->get();
            }

在这段代码中，我们如何防止sql注入，如果它是一条语句，那么我想我可以使用，

DB::raw("SELECT * FROM users WHERE name = ?", [$name]));

但在这种情况下，我在循环中准备它。那么如何解决这个问题呢？

谢谢。

Answer 1

$search_keys = explode(' ', $search);
$terms = [];
$params = [];
$count = 1;
foreach ($search_keys as $key) {
    $terms[] = "(MATCH(column_name) AGAINST(?) * ?)";
    $params[] = $key;
    $params[] = $count * 10;
    $count++;
}
$relevance = implode($terms, " + ") . " AS relevance";

现在，您有了一个查询参数数组，可以在执行以下命令时使用：

DB::table('tbl')->selectRaw($relevance, $params)->get();