Brief introduction of query condition preprocessing for new features of ThinkPHP3.1

Previous ThinkPHP 3.0 version will perform security filtering on array query conditions (this is because 3.0 forces the use of field type detection, so array query conditions will be cast to the set type of fields), but version 3.0 does not support security filtering of string conditions. However, ThinkPHP version 3.1 adds support for preprocessing conditional strings, which ensures the security of ORM.

1. Use the where method

Model Class where Method supports string condition preprocessing, and it is used in the following ways: 
$Model->where("id=%d and username='%s' and
xx='%f'",array($id,$username,$xx))->select();

Or directly use:

$Model->where("id=%d and username='%s' and xx='%f'",$id,$username,$xx)->select();

If the $id variable comes from a user submission or an URL address, if the incoming non-numeric type, it will force the query operation to be formatted into a numeric format.

String preprocessing format type support specified numbers, strings, etc. Specific reference to vsprintf method parameter description.

2. Use the query and execute methods

In addition to where conditions, preprocessing mechanisms are also supported for native SQL query methods, such as:

$Model->query("SELECT * FROM think_user WHERE id=%d and username='%s' and xx='%f'",array($id,$username,$xx));

execute method of the model also supports preprocessing mechanism like query method 1.