1. Anti-mysql injection
For WEB applications, SQL injection attacks are undoubtedly the primary security issue to guard against. The bottom layer of the system has carried out a lot of processing and corresponding prevention mechanisms for data security itself;
Even if the user enters some malicious id parameters, the system will force the conversion to an integer to avoid malicious injection. This is because the system will perform mandatory data type detection on the data and perform data format conversion on the data source. Moreover, for data of string type, ThinkPHP will perform escape_string processing (real_escape_string, mysql_escape_string), and if you use the PDO method, it also supports parameter binding.
Parameter binding refers to binding a parameter to the variable specified by the corresponding named placeholder or question mark placeholder in the preprocessed SQL statement, and can improve the efficiency of SQL processing. It needs the support of database-driven classes. Currently, only PDO and Sqlsrv driver supports parameter binding function
The usual security risk is that your query conditions use string parameters, and then some of those variables depend on user input on the client side
So when the where method uses string conditions, it supports preprocessing (safety filtering), and supports two ways to pass in preprocessing parameters
Unfinished