更新时间:2021-10-16 22:15:32
updateAll()
与使用 save()
时不同,它不会自动将字符串值括在引号中.你必须自己做这件事.来自 文档:-
updateAll()
does not automatically wrap string values in quotes unlike when using save()
. You have to do this yourself. From the docs:-
应使用 DboSource::value() 手动引用文字值.
Literal values should be quoted manually using DboSource::value().
您需要在调用 $this->request->data
中的每个字符串值中使用类似数据源的 value()
方法的引号括起来 >updateAll()
:-
You need to wrap each string value in $this->request->data
with quotes using something like the datasource's value()
method before calling updateAll()
:-
$db = $this->getDataSource();
$value = $db->value($value, 'string');
建议不要只是将 $this->request->data
传递给 updateAll()
,因为有人可能会将数据注入您的数据库.而是根据您的请求数据构建一个新的保存数据数组,并根据需要包装字符串.例如:-
It is advisable to not just pass $this->request->data
to updateAll()
anyway as someone could inject data into your database. Instead build a new array of save data from your request data and wrap strings as appropriate. For example:-
$user=$this->request->data[User]
$data = array(
'username' => $db->value($user['username'], 'string'),
'password' => $db->value($user['password'], 'string'),
'email' => $db->value($user['email'], 'string'),
'phone' => $db->value($user['phone'], 'string'),
'address' => $db->value($user['address'], 'string'),
'location' => $db->value($user['location'], 'string'),
'pincode' => $db->value($user['pincode'], 'integer')
);
$this->User->updateAll($data, array("User.id" => $v));
更新
作为使用 updateAll()
的替代方法,您***使用 save()
来完成您在此处所做的工作.只要您的保存数据包含记录的主键(eg User.id
),它就会执行 UPDATE
而不是 INSERT
:-
As an alternative to using updateAll()
you would be better to use save()
for what you are doing here. As long as your save data contains the record's primary key (e.g. User.id
) it will perform an UPDATE
rather than an INSERT
:-
$this->request->data['User']['id'] = $v;
$this->User->save($this->request->data);
save()
将为您处理所有字符串,因此您无需自己将它们用引号括起来.
save()
will handle all the strings for you so there is no need for wrapping them in quotes yourself.