From f60d1abff66fa549852ed0b61a19ef183239cab0 Mon Sep 17 00:00:00 2001 From: augushong Date: Thu, 14 May 2026 23:22:01 +0800 Subject: [PATCH] =?UTF-8?q?fix(security):=20DebugMysql=E6=97=A5=E5=BF=97?= =?UTF-8?q?=E9=A9=B1=E5=8A=A8=E4=BD=BF=E7=94=A8PDO=E9=A2=84=E5=A4=84?= =?UTF-8?q?=E7=90=86=E9=98=B2=E6=AD=A2SQL=E6=B3=A8=E5=85=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- extend/think/log/driver/DebugMysql.php | 39 ++++++++++---------------- 1 file changed, 15 insertions(+), 24 deletions(-) diff --git a/extend/think/log/driver/DebugMysql.php b/extend/think/log/driver/DebugMysql.php index f94d1af..e1da0a8 100644 --- a/extend/think/log/driver/DebugMysql.php +++ b/extend/think/log/driver/DebugMysql.php @@ -52,6 +52,11 @@ class DebugMysql implements LogHandlerInterface $log_key = uniqid(); + $columns = 'level,content,create_time,create_time_title,uid,app_name,controller_name,action_name'; + $placeholders = '?,?,?,?,?,?,?,?'; + $sql = "INSERT INTO {$this->tableName} ({$columns}) VALUES ({$placeholders})"; + $stmt = $this->pdo->prepare($sql); + foreach ($log as $log_level => $log_list) { foreach ($log_list as $key => $log_item) { @@ -59,30 +64,16 @@ class DebugMysql implements LogHandlerInterface $log_item = json_encode($log_item, JSON_UNESCAPED_UNICODE); } - $log_data = [ - 'level' => $log_level, - 'content' => $log_item, - 'create_time' => $create_time, - 'create_time_title' => $create_time_title, - 'uid' => $log_key, - 'app_name' => $app_name, - 'controller_name' => $controller_name, - 'action_name' => $action_name, - ]; - - foreach ($log_data as $key => &$value) { - $value = str_replace('\'', '\\\'', $value); - } - - $data_keys = array_keys($log_data); - - $data_keys_in_sql = join(',', $data_keys); - - $data_values_in_sql = join('\',\'', $log_data); - - $sql = "INSERT INTO {$this->tableName} ($data_keys_in_sql) VALUES ('$data_values_in_sql');"; - - $this->pdo->exec($sql); + $stmt->execute([ + $log_level, + $log_item, + $create_time, + $create_time_title, + $log_key, + $app_name, + $controller_name, + $action_name, + ]); } }