sql字符串转义问题

Question

是否有可能多次向转义字符串中插入相同的值？即

$wpdb->prepare("SELECT * FROM table WHERE (column1 = %s || column2 = %s || column3 = %s) AND this = $s", $search_terms,$that"); 

如果没有，没有人有一个很好的替代条件的建设者。 SQL在选定的表上运行多次。有些表格比其他表格有更多的搜索列表，所以我创建了一个条件构建器。但现在我试图逃避这些值来防止SQL注入。

$conditions = ""; 
       $query_seperator = " || "; 
       $i = 0; 
       foreach($table['fields'] as $field){ 

        if ($i < ($field_count-1)){ 
         $conditions = $conditions . $field . " LIKE %s" . $query_seperator; 
        } else { 
         $conditions = $conditions . $field . " LIKE %s"; 
        } 

        $i++; 
       } 

$wpdb->prepare("SELECT * FROM table WHERE ($conditions) AND this = $s", $search_terms,$that"); 

Answer 1

您的查询似乎是等同于

$wpdb->prepare("SELECT * FROM table WHERE %s IN (column1,column2,column3) AND this = $s", $search_terms,$that");