Php PDO准备/执行SQL问题
我对PDO准备的声明有异议 在下面的代码中,示例1使用准备好的语句。但是,此代码不会产生所需的结果。示例2生成所需的结果,但不使用准备好的语句 示例1在SQL字符串中使用了Php PDO准备/执行SQL问题,php,sql,pdo,prepared-statement,Php,Sql,Pdo,Prepared Statement,我对PDO准备的声明有异议 在下面的代码中,示例1使用准备好的语句。但是,此代码不会产生所需的结果。示例2生成所需的结果,但不使用准备好的语句 示例1在SQL字符串中使用了?占位符,字符串值随后将绑定到这些占位符,然后执行(如您所期望的) 下面的代码: <?php // debugging error_reporting(E_ALL); ini_set("display_errors", 1); // db vars $host = 'localhost'; $db_name = 'c
?
占位符,字符串值随后将绑定到这些占位符,然后执行(如您所期望的)
下面的代码:
<?php
// debugging
error_reporting(E_ALL);
ini_set("display_errors", 1);
// db vars
$host = 'localhost';
$db_name = 'cakeTut';
$db_username = 'root';
$db_password = 'password';
// try to connect to db, else catch exception.
try{
$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $db_username, $db_password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch (PDOException $e){
echo $e->getMessage();
die();
}
///////////////////////////////////////
// Example 1
///////////////////////////////////////
// query vars
$tablename = 'users';
$id = 'id';
$first_name = 'first_name';
$last_name = 'last_name';
// query string w/placeholders, then prepare query
$sql = "SELECT ?, ?, ? FROM $tablename";
$query = $pdo->prepare($sql);
// binding query vars to placeholders in query string
$query->bindParam(1, $id, PDO::PARAM_STR);
$query->bindParam(2, $first_name, PDO::PARAM_STR);
$query->bindParam(3, $last_name, PDO::PARAM_STR);
// execute query & print out query details for debugging
$query->execute();
$query->debugDumpParams();
// fetch result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
///////////////////////////////////////
// Example 2
///////////////////////////////////////
// create query string with out placeholders, prepare and execute
$sql = "SELECT `id`, `first_name`, `last_name` FROM `users`";
$query = $pdo->prepare($sql);
$query->execute();
// get result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
?>
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
3 fiona mac
4 ronan duddy
5 tom thumb
30 ronan mcl
31 Admin admin
示例1的打印($resultSet)代码>
循环示例1的结果集并打印列。
<?php
// debugging
error_reporting(E_ALL);
ini_set("display_errors", 1);
// db vars
$host = 'localhost';
$db_name = 'cakeTut';
$db_username = 'root';
$db_password = 'password';
// try to connect to db, else catch exception.
try{
$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $db_username, $db_password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch (PDOException $e){
echo $e->getMessage();
die();
}
///////////////////////////////////////
// Example 1
///////////////////////////////////////
// query vars
$tablename = 'users';
$id = 'id';
$first_name = 'first_name';
$last_name = 'last_name';
// query string w/placeholders, then prepare query
$sql = "SELECT ?, ?, ? FROM $tablename";
$query = $pdo->prepare($sql);
// binding query vars to placeholders in query string
$query->bindParam(1, $id, PDO::PARAM_STR);
$query->bindParam(2, $first_name, PDO::PARAM_STR);
$query->bindParam(3, $last_name, PDO::PARAM_STR);
// execute query & print out query details for debugging
$query->execute();
$query->debugDumpParams();
// fetch result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
///////////////////////////////////////
// Example 2
///////////////////////////////////////
// create query string with out placeholders, prepare and execute
$sql = "SELECT `id`, `first_name`, `last_name` FROM `users`";
$query = $pdo->prepare($sql);
$query->execute();
// get result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
?>
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
3 fiona mac
4 ronan duddy
5 tom thumb
30 ronan mcl
31 Admin admin
示例2的打印($resultSet)代码>
循环示例2的结果集并打印列。
<?php
// debugging
error_reporting(E_ALL);
ini_set("display_errors", 1);
// db vars
$host = 'localhost';
$db_name = 'cakeTut';
$db_username = 'root';
$db_password = 'password';
// try to connect to db, else catch exception.
try{
$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $db_username, $db_password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch (PDOException $e){
echo $e->getMessage();
die();
}
///////////////////////////////////////
// Example 1
///////////////////////////////////////
// query vars
$tablename = 'users';
$id = 'id';
$first_name = 'first_name';
$last_name = 'last_name';
// query string w/placeholders, then prepare query
$sql = "SELECT ?, ?, ? FROM $tablename";
$query = $pdo->prepare($sql);
// binding query vars to placeholders in query string
$query->bindParam(1, $id, PDO::PARAM_STR);
$query->bindParam(2, $first_name, PDO::PARAM_STR);
$query->bindParam(3, $last_name, PDO::PARAM_STR);
// execute query & print out query details for debugging
$query->execute();
$query->debugDumpParams();
// fetch result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
///////////////////////////////////////
// Example 2
///////////////////////////////////////
// create query string with out placeholders, prepare and execute
$sql = "SELECT `id`, `first_name`, `last_name` FROM `users`";
$query = $pdo->prepare($sql);
$query->execute();
// get result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
?>
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
3 fiona mac
4 ronan duddy
5 tom thumb
30 ronan mcl
31 Admin admin
我错过什么了吗?上面代码中的两个示例不应该打印出相同的数据,即示例2吗?我在谷歌上搜索过,示例1的代码与准备好的语句中的基本示例相匹配
非常感谢,,
Rónán准备好的语句占位符只能表示查询中的值。不能将它们用于表名、字段名或任何其他SQL关键字
SELECT * FROM foo WHERE (somefield = ?) // ok
SELECT ? FROM foo WHERE (somefield = 2) // bad - cannot use for field name
SELECT * FROM ? WHERE (somefield = 2) // bad cannot use for table name
SELECT * FROM foo WHERE (somefield = 2) ORDER BY somefield ? // again bad, can't use for sort order
SELECT * FROM foo WHERE (? = 2) // again bad, can't use for field name
正如我所读到的,在PDO中不能对表/列名使用参数。
请注意:
不起作用:
$sth = $dbh->prepare('SELECT name, colour, calories FROM ? WHERE calories < ?');
$sth=$dbh->prepare('SELECT name,color,carries FROM?WHERE carries<?');
这管用
$sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < ?');
$sth=$dbh->prepare('SELECT name,color,carries FROM fairs WHERE carries<?');
你不能这么做=>选择?,?,?
你从哪里读到可以将列名或表名定义为参数?换句话说,你可以将绑定参数用于值,而不是列名或表名。换句话说,它不知道“提前”选择什么,因为它是未知的;“有问题”?
。这有点像是把马车放在马之前。当你问一个问题时,那是因为你还不知道答案,对吗?;-)好了,你来了;同样的道理也适用于这里。为它设置一个变量,而不是$column1=“column”代码>然后选择$column1…
,如果这是您想要实现的。我现在明白了。很好,弗雷德!非常感谢大家!:)一个指向文档的链接也同样解释了这一点:谢谢Marc!非常感谢。对于最后一个示例,可以这样做:$sql=“SELECT*FROM foo WHERE($somefield=2)”代码>Thanks@ronanduddy:那不是占位符。这就是PHP变量插值,它会打开查询,导致注入攻击。这不是你想做的事。谢谢你的帮助。