PDO - >准备mysql查询将无法正常工作
[英]PDO ->prepare on mysql query won't work
问题描述
I have a mysql query that I'd like to wrap-up like this: $sql = $dbh->prepare("SELECT * FROM log"); 
我有一个mysql查询,我想像这样总结: $sql = $dbh->prepare("SELECT * FROM log"); Then, I execute it like this: $sql->execute(); 然后,我执行它: $sql->execute(); , now my question is why can't I use it into a: foreach($dbh->query($sql) as $row) loop ? ,现在我的问题是为什么我不能将它用于: foreach($dbh->query($sql) as $row)循环? When I try to get it to run into the foreach loop the loggin form does not read from the db anymore. 当我试图让它运行到foreach循环时,loggin表单不再从db读取。 If I remove the dbh->prepare statement it works just fine, but I wanted to block SQL Injection on it. 如果我删除dbh-> prepare语句它工作得很好,但我想阻止SQL注入。 Thanks. 谢谢。
2 个解决方案
解决方案1
1 已采纳 2013-06-18 20:55:41
You need to fetch the results first (after you execute the statement): 您需要先获取结果(执行语句后):
$rows = $sql->fetchAll(); foreach($rows as $row){ ... }
query() expects string only (the SQL query). query()只需要字符串(SQL查询)。 But you were passing the return result of prepare() to it, which is a PDOStatement object. 但是你将prepare()的返回结果传递给它,这是一个PDOStatement对象。
prepare() is used in succession with execute() , not query() . prepare()连续使用execute() ,而不是query() 。 It makes sense to prepare your statements when you have input parameters that you want to pass to execute() . 当您有要传递给execute()输入参数时,准备语句是有意义的。
In short: 简而言之:
$stm = $dbh->prepare('SELECT...');
$stm->execute();
is equivalent to: 相当于:
$stm = $dbh->query('SELECT...');
if you have no input parameters to send. 如果您没有要发送的输入参数。
解决方案2
1 2013-06-18 21:04:01
You are using prepared statements $db->prepare($my_sql_query) . 您正在使用$db->prepare($my_sql_query)准备语句$db->prepare($my_sql_query) 。 When you use prepared statements, you usually may have some variables binded to the query. 使用预准备语句时,通常可能会将一些变量绑定到查询中。 For example 例如
$my_query = 'SELECT * FROM users WHERE user_id=:user_id'
$prepared_statement = $db->prepare($my_query);
$prepared_statement->bindValue(':user_id', 123);
Now when you have binded your values you need to execute your query 现在,当您绑定了值时,您需要执行查询
$prepared_statement->execude();
When you execute the prepared statement it generates the actual sql code and then executes it in mysql. 当您执行准备好的语句时,它会生成实际的sql代码,然后在mysql中执行它。 And then to retrieve the results you would execude 然后检索你要执行的结果
$record = $prepared_statement->fetch(); //if you want to get only one record from the table
$records = $prepared_statement->fetchAll(); // if you want to get multiple records from the table
foreach($records as $row) {
// your code here...
}
If you're using $db->query() you should be able to get the results with the following code: 如果您使用$db->query()您应该能够使用以下代码获得结果:
$sql = 'SELECT name, color, calories FROM fruit ORDER BY name';
foreach ($db->query($sql) as $row) {
print $row['name'] . "\t";
print $row['color'] . "\t";
print $row['calories'] . "\n";
}
// outputs
// apple red 150
// banana yellow 250
// kiwi brown 75
// lemon yellow 25
// orange orange 300
// pear green 150
// watermelon pink 90
(taken from php.net ) (摘自php.net )
There is a big difference between the methods query and prepare : 方法query和prepare之间有很大的区别:
-
querymethod will directly execute the sql code you've enteredquery方法将直接执行您输入的sql代码 -
preparewill "prepare" your sql code.prepare将“准备”您的SQL代码。 This process replaces all params in the sql code with some actual values (ieSELECT * FROM users WHERE user_id=:user_idwill becomeSELECT * FROM users WHERE user_id=1).此过程用一些实际值替换sql代码中的所有params(即SELECT * FROM users WHERE user_id=:user_id将成为SELECT * FROM users WHERE user_id=1)。 Thus, when you use prepared statements you need to doexecuteso that the code is send to mysql.因此,当您使用预准备语句时,您需要execute以便将代码发送到mysql。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.