在Laravel中使用DB :：select和其他工具安全吗？

Question

查询并不总是简单的，有时我需要创建一个纯SQL查询，查询生成器也不适合。ПрииспользованииDB：：选择，подготовливаютсялипеременные，которыеподставленывзапрос？

在这种情况下会有sql注入吗？

$mastersInCity = DB::select('SELECT
        master_user.master_id,
        masters.specialization,
        category_letter_master.category_letter_id AS master_letter,
        COUNT(*) AS count_in_city

        FROM master_user

        LEFT JOIN masters ON master_user.master_id = masters.id
        LEFT JOIN category_letter_master ON category_letter_master.master_id = master_user.master_id 

        WHERE ' . $chooiseId . ' = ' . $cityId . ' GROUP 

        BY master_user.master_id, master_letter');

或者，在这种情况下，最好直接使用PDO，这样可以自己手动准备请求吗？

Answer 1

$mastersInCity = DB::select('SELECT
    master_user.master_id,
    masters.specialization,
    category_letter_master.category_letter_id AS master_letter,
    COUNT(*) AS count_in_city

    FROM master_user

    LEFT JOIN masters ON master_user.master_id = masters.id
    LEFT JOIN category_letter_master ON category_letter_master.master_id = master_user.master_id 

    WHERE ? = ? GROUP 

    BY master_user.master_id, master_letter', [$chooiseId, $cityId]);

这相当于准备好的陈述。

博士：https://laravel.com/docs/5.7/database#running-queries

编辑:我相信只要有口才就能做到这一点，这里没有什么太复杂的。类似于：

MasterUser::with(['master', 'master_letter'])->withCount()->where($chooiseId, $cityId)->get()