Laravel DB::raw 绑定参数

Posted 2023-03-14

【中文标题】Laravel DB::raw 绑定参数

【英文标题】：Laravel DB::raw bind parameters

【发布时间】：2019-08-20 21:31:06

【问题描述】：

我在尝试将数据绑定到查询时遇到问题。 我使用的是 php 框架 Laravel 5.7 版本。

尝试以这种方式绑定数据：

DB::raw("(
        select 
            10 * FLOOR(SUM(TIME_TO_SEC(TIMEDIFF(end_time, start_time)) - 3600 )  
                * (drivers.salary_per_hour / 3600) / 10)
        from assignments
        where 
            assignments.driver_id = drivers.id 
            and assignments.driving_day 
                between STR_TO_DATE('?', '%Y-%m-%d') 
                and STR_TO_DATE('?', '%Y-%m-%d') ) 
        as salary",[
            $dates['from'],
            $dates['to']
        ])

并收到 null 作为结果。

$dates 数组值：

['from' => '2019-03-01', 'to' => '2019-03-31']

但是如果我这样做，它工作正常，但有SQL注入，我认为如果我绑定数据会更好。

$drivers = Driver::select([
        'id', 'name', 'surname', 'phone', 'driver_status','driver_status', 'updated_at', 'updated_at', 'photo',
        'salary_per_hour',
        DB::raw("(
            select 10 * FLOOR(SUM(TIME_TO_SEC(TIMEDIFF(end_time, start_time)) - 3600 )  * (drivers.salary_per_hour / 3600) / 10)
            from assignments
            where assignments.driver_id = drivers.id 
            and assignments.driving_day between STR_TO_DATE('".$dates['from']."', '%Y-%m-%d') and STR_TO_DATE('".$dates['to']."', '%Y-%m-%d') ) as salary"),
        DB::raw("(
            select SEC_TO_TIME(SUM(TIME_TO_SEC(TIMEDIFF(end_time, start_time)) - 3600 ))
            from assignments
            where assignments.driver_id = drivers.id 
            and assignments.driving_day between STR_TO_DATE('".$dates['from']."', '%Y-%m-%d') and STR_TO_DATE('".$dates['to']."', '%Y-%m-%d') ) as worked_hours"),
    ])->whereHas('assigments', function ($query) use ($dates) 
        $query->whereBetween('driving_day', [$dates['from'], $dates['to']]);
    );

    $table = $drivers->paginate(15);

我的数据绑定出了什么问题？

===

我是这样尝试的

and assignments.driving_day 
between STR_TO_DATE(?, '%Y-%m-%d') 
and STR_TO_DATE(?, '%Y-%m-%d') )

得到错误：

QLSTATE[HY093]: Invalid parameter number (SQL: select `id`, `name`, `surname`, `phone`, `driver_status`, `driver_status`, `updated_at`, `updated_at`, `photo`,  ▶
            select 10 * FLOOR(SUM(TIME_TO_SEC(TIMEDIFF(end_time, start_time)) - 3600 )  * (drivers.salary_per_hour / 3600) / 10)
            from assignments
            where assignments.driver_id = drivers.id 
            and assignments.driving_day between STR_TO_DATE('2019-03-07', '%Y-%m-%d') and STR_TO_DATE('2019-03-31', '%Y-%m-%d') ) as salary, (
            select SEC_TO_TIME(SUM(TIME_TO_SEC(TIMEDIFF(end_time, start_time)) - 3600 ))
            from assignments
            where assignments.driver_id = drivers.id 
            and assignments.driving_day between STR_TO_DATE('2019-03-07', '%Y-%m-%d') and STR_TO_DATE('2019-03-31', '%Y-%m-%d') ) as worked_hours, (
    select 10 * FLOOR(SUM(TIME_TO_SEC(TIMEDIFF(end_time, start_time)) - 3600 )  * (drivers.salary_per_hour / 3600) / 10)
    from assignments
    where assignments.driver_id = drivers.id 
    and assignments.driving_day between STR_TO_DATE(2019-03-07, '%Y-%m-%d') and STR_TO_DATE(2019-03-31, '%Y-%m-%d') ) as test from `drivers` where exists (select * from `assignments` where `drivers`.`id` = `assignments`.`driver_id` and `driving_day` between ? and ?) limit 15 offset 0)

【问题讨论】：

您需要删除?s 周围的引号。

【参考方案1】：

在您的查询中：

and assignments.driving_day 
    between STR_TO_DATE('?', '%Y-%m-%d') 
    and STR_TO_DATE('?', '%Y-%m-%d') )

您不应引用绑定参数 ('?')。 Lavarel 与其他数据库接口一样，为您处理该级别的封装。

你想要：

and assignments.driving_day 
    between STR_TO_DATE(?, '%Y-%m-%d') 
    and STR_TO_DATE(?, '%Y-%m-%d') )

【讨论】：

@VardanNersesyan：查询的最后一部分还需要参数：(select * from assignments where drivers.id = assignments.driver_id and driving_day between ? and ?)。您需要像绑定其他参数一样绑定它们。