如何从mysql_ *升级到mysqli_ *?
[英]How to upgrade from mysql_* to mysqli_*?
问题描述
I'm currently using deprecated code to get data from users, as follows: 
我目前正在使用弃用的代码来从用户那里获取数据,如下所示:
/* retrieve */
$lastName = $_POST['lastName'];
$firstName = $_POST['firstName'];
$examLevel=$_POST['level'];
/* connect */
$dbc=mysql_connect("localhost", "user", "passw") or die('Error connecting to MySQL server');
mysql_select_db("db") or die('Error selecting database.');
/* sanitize */
$lastName=mysql_real_escape_string($lastName);
$firstName=mysql_real_escape_string($firstName);
$examLevel=mysql_real_escape_string($examLevel);
/* insert */
$query_personal = "INSERT INTO personal (LastName, FirstName) VALUES ('$lastName', '$firstName')";
$query_exam = "INSERT INTO exam (Level, Centre, BackupCentre, etc.) VALUES ('$examLevel', '$centre', '$backup', 'etc')";
This is working but I keep coming across warnings about security and lack of support. 这是有效的,但我不断发现有关安全性和缺乏支持的警告。 There's a small rewrite to connect with mysqli instead of mysql but what about mysqli_real_escape_string ? 有一个小的重写连接 mysqli而不是mysql但是mysqli_real_escape_string怎么样? I've seen it used in examples but I've also seen advice to use prepared statements instead which don't use mysqli_real_escape_string. 我已经看到它在示例中使用但我也看到了使用预处理语句的建议,而不使用mysqli_real_escape_string。
And how would I use prepared statements to INSERT my data? 我如何使用预准备语句来插入我的数据? I'm a bit at sea with this bit so far. 到目前为止,我有点在海上。 For example, is parameter binding only for INSERTs and result binding only for SELECTs? 例如,仅针对INSERT的参数绑定和仅针对SELECT的结果绑定吗?
2 个解决方案
解决方案1
0 2013-04-25 16:45:28
see this pages for converting mysql into mysqli 看到这个页面将mysql转换成mysqli
Converting_to_MySQLi Converting_to_MySQLi
https://wikis.oracle.com/display/mysql/Converting+to+MySQLi https://wikis.oracle.com/display/mysql/Converting+to+MySQLi
and see mysqli_real_escape_string manual that explain about mysqli_real_escape_string and Security problem and how to solve it. 并查看mysqli_real_escape_string手册,解释有关mysqli_real_escape_string和安全问题以及如何解决它。
php.net: php.net:
Security: the default character set 安全性:默认字符集
The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). 必须在服务器级别或使用API函数mysqli_set_charset()设置字符集,以使其影响mysqli_real_escape_string()。 See the concepts section on character sets for more information. 有关更多信息,请参阅字符集的概念部分。
see this page for query for insert data 请参阅此页面以查询插入数据
see this page for prepare data for inserting to mysql 请参阅此页面以准备插入mysql的数据
and http://php.net/manual/de/mysqli.quickstart.prepared-statements.php 和http://php.net/manual/de/mysqli.quickstart.prepared-statements.php
解决方案2
0 已采纳 2013-04-25 16:50:40
/* connect */
$dsn = "mysql:host=localhost;db=test;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,"user", "passw", $opt);
/* insert */
$query = "INSERT INTO personal (LastName, FirstName) VALUES (?, ?)";
$stmt = $pdo->prepare($query);
$stmt->execute(array($_POST['lastName'],$_POST['firstName']));
$query = "INSERT INTO exam (Level, Centre, BackupCentre, etc) VALUES (?, ?, ?, 'etc')";
$stmt = $pdo->prepare($query);
$stmt->execute(array($_POST['level'], $centre, $backup));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.