Php mysqli编写的语句没有bind_参数
我有此代码用于从用户表上的最新记录中选择Php mysqli编写的语句没有bind_参数,php,mysqli,Php,Mysqli,我有此代码用于从用户表上的最新记录中选择fname $mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE); $sdt=$mysqli->('SELECT fname FROM user ORDER BY id DESC LIMIT 1'); $sdt->bind_result($code); $sdt->fetch(); echo $code ; 我在前面使用了带有bind_param的prepared语句,但现在在上面的代
fname$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$sdt=$mysqli->('SELECT fname FROM user ORDER BY id DESC LIMIT 1');
$sdt->bind_result($code);
$sdt->fetch();
echo $code ;
我在前面使用了带有
bind_parambind_param()的情况下从表中选择。怎么做 事实上,如果我纠正你的脚本,它将是这样的:
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$sdt = $mysqli->prepare('SELECT fname FROM user ORDER BY id DESC LIMIT 1');
$sdt->execute();
$sdt->bind_result($code);
$sdt->fetch();
echo $code;
因此,如果没有bind_param,通常这对我有效:
$bla = $_POST['something'];
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("SELECT fname FROM user WHERE bla = " . $bla . " ORDER BY id DESC LIMIT 1");
$stmt->execute();
$stmt->bind_result($code);
$stmt->fetch();
echo $code;
这可能会有所帮助。如果您想在不绑定的情况下执行它,只需使用query
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$res = $mysqli->query('SELECT fname FROM user ORDER BY id DESC LIMIT 1');
echo current($res->fetch_row());
勾选的答案对SQL注入开放。使用预先准备好的语句而不正确准备数据有什么意义。您永远不应该只在查询行中放入字符串。准备好的陈述的要点是它已经准备好了。这里有一个例子
$query = "SELECT `Customer_ID`,`CompanyName` FROM `customers` WHERE `Customer_ID`=?";
$stmt = $db->prepare($query);
$stmt->bind_param('i',$_POST['ID']);
$stmt->execute();
$stmt->bind_result($id,$CompanyName);
在拉菲的代码中,你应该这样做
$bla = $_POST['something'];
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("SELECT `fname` FROM `user` WHERE `bla` = ? ORDER BY `id` DESC LIMIT 1");
$stmt->bind_param('s',$_POST['something']);
$stmt->execute();
$stmt->bind_result($code);
$stmt->fetch();
echo $code;
请注意,我不知道您的帖子数据是字符串还是整数。如果它是一个整数,你会把
$stmt->bind_param('i',$_POST['something']);
相反。我知道你说没有绑定参数,但请相信我,如果你从一个页面中获取输入,而没有首先正确地准备它,那真的很糟糕。这真的很危险。您没有转义查询,这可能导致SQL注入。