Php 我的PDO准备的声明有什么问题?
因为我注意到我的站点容易受到SQL注入攻击,所以我从使用标准的mysqli连接协议改为使用PDO 自从构建新的连接和查询脚本以来,我不断地被抛出这个错误 警告:PDOStatement::execute:SQLSTATE[HY093]:无效参数编号:第31行的D:\wamp\www\Kerr Pumps\includes\product_data.php中未定义参数 尽管访问了其他论坛的帖子,我还是没能找到解决问题的办法Php 我的PDO准备的声明有什么问题?,php,pdo,Php,Pdo,因为我注意到我的站点容易受到SQL注入攻击,所以我从使用标准的mysqli连接协议改为使用PDO 自从构建新的连接和查询脚本以来,我不断地被抛出这个错误 警告:PDOStatement::execute:SQLSTATE[HY093]:无效参数编号:第31行的D:\wamp\www\Kerr Pumps\includes\product_data.php中未定义参数 尽管访问了其他论坛的帖子,我还是没能找到解决问题的办法 // Get a list of all the pumps in the
// Get a list of all the pumps in the database
function get_pumps( $pType, $pVal, $gVal, $class_style ) {
// PDO DB CONNECTION AS OF VERSION 1.1
// Check whether correct data is passed into function...
echo var_dump($pType);
echo var_dump($pVal);
echo var_dump($gVal);
// Local connection variables
$db_user = "root";
$db_pass = "root";
// Connect to the database
try
{
$connection = new PDO('mysql:host=localhost;dbname=kerrpumps', $db_user, $db_pass );
$stmt = $connection->prepare('SELECT * FROM pumps WHERE pump_type = :pType AND flow_psi = :pVal AND flow_gpm = :gVal AND high_psi = :pVal AND high_gpm = :gVal');
$stmt->execute(array( 'pump_type' => $pVal,
'flow_psi' => $pVal,
'flow_gpm' => $gVal,
'high_psi' => $pVal,
'high_gpi' => $gVal ));
$result = $stmt->fetchAll();
// If there are results...
if ( count($result) )
{
foreach($result as $row){
$link = '#';
echo '<tr onclick="'."$link; window.location='$link'".'" class="'.($class_style %2 == 0 ? "row_dark" : "row_light").'">';
echo '<a href="#">';
include("grid_data.php");
echo '</a>';
$class_style++;
echo "</tr>";
}
}
// Else there are no results which match the query...
else {
echo "<tr class='styleOff'>
<td class='styleOff'>We're sorry, but there are no pumps which fit the given search criteria. Please try again.</td>
</tr>";
}
}
// Error handling
catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
}
如上所述,我是PDO新手,可能错过了一些简单的东西,任何反馈或指针都将不胜感激,谢谢。传递给->执行调用的数组键应该与您正在使用的占位符的名称匹配,而不是与占位符进行比较的字段:
SELECT * FROM pumps WHERE pump_type = :pType AND flow_psi = :pVal AND flow_gpm = :gVal AND high_psi = :pVal AND high_gpm = :gVal
^^^^^---- use this instead
$stmt->execute(array('pType' => 'foo', ....));
^^^^^--- use the placeholder name, NOT the field name
在要传递以执行的数组中,需要为键指定与参数相同的名称,包括初始冒号。所以第一个应该是:pType,等等。啊,我明白了,这很有道理!我真傻。谢谢你,第一次使用PDO时,我以为我必须将字段名传递给键!