PDO 显示数据库中每个特定 ID 的数据
[英]PDO displaying data from database foreach specific ID
问题描述
if member logon they have url like index.php?id=5
如果成员登录,他们有像 index.php?id=5 这样的 url
$id = $_GET['id']
I can show the user data by doing this我可以通过这样做来显示用户数据
$pdo = Database::connect();
$sql = 'SELECT * FROM data WHERE id_member = "5" ORDER BY tgl DESC';
foreach ($pdo->query($sql) as $row) {
echo '<td>'. $row['tgl'] . '</td>';
}
but if i change to this, nothing happen.但如果我改变这个,什么也不会发生。
$pdo = Database::connect();
$q = $pdo->prepare('SELECT * FROM data WHERE id_member = $id ORDER BY tgl DESC');
$q->bindValue(':id', $id, PDO::PARAM_INT);
foreach ($pdo->query($q) as $row) {
echo '<td>'. $row['tgl'] . '</td>';
}
but i dont understand.但我不明白。 can somebody help me please?有人可以帮我吗? give me right code and explain it please, iam new with PDO.给我正确的代码并解释一下,我是 PDO 的新手。
thanks谢谢
3 个解决方案
解决方案1
3 2015-05-29 20:25:16
You don't use the query function, http://php.net/manual/en/pdo.query.php , with prepare , http://php.net/manual/en/pdo.prepare.php .您不使用query功能http://php.net/manual/en/pdo.query.php和prepare , http://php.net/manual/en/pdo.prepare.php 。 Prepare goes with execute , http://php.net/manual/en/pdostatement.execute.php . Prepare与execute一起使用, http://php.net/manual/en/pdostatement.execute.php 。 You also need to put the binded name in the query.您还需要将绑定名称放在查询中。
$pdo = Database::connect();
$q = $pdo->prepare('SELECT * FROM data WHERE id_member = :id ORDER BY tgl DESC');
$q->bindValue(':id', $id, PDO::PARAM_INT);
$q->execute();
while($q->fetch(PDO::FETCH_ASSOC)) {
echo '<td>'. $row['tgl'] . '</td>';
}
or或者
$pdo = Database::connect();
$q = $pdo->prepare('SELECT * FROM data WHERE id_member = ? ORDER BY tgl DESC');
$q->execute(array($id));
while($q->fetch(PDO::FETCH_ASSOC)) {
echo '<td>'. $row['tgl'] . '</td>';
}
Both methods are prepared statements.这两种方法都是准备好的语句。 They separate the user's data so it won't cause issues with your query.它们将用户的数据分开,因此不会导致您的查询出现问题。
Also, as the other answers have alluded to if you used double quotes your second query would have executed...but don't do that it opens you to injections.此外,正如其他答案所暗示的那样,如果您使用双引号,您的第二个查询将被执行……但不要这样做,它会让您进行注射。 Here's how you could have done that but the prepared are better.以下是您可以如何做到这一点,但准备得更好。 Also note the casting of the $id to an int which forces it to be a number.还要注意将$id强制转换为 int 强制它是一个数字。
$id = (int)$_GET['id'];
$pdo = Database::connect();
$sql = "SELECT * FROM data WHERE id_member = $id ORDER BY tgl DESC";
foreach ($pdo->query($sql) as $row) {
echo '<td>'. $row['tgl'] . '</td>';
}
解决方案2
2 已采纳 2015-05-29 19:51:07
In your statement you are using a prepared query, therefore your query should look different:在您的语句中,您使用的是准备好的查询,因此您的查询看起来应该有所不同:
$q = $pdo->prepare('SELECT * FROM data WHERE id_member = :id ORDER BY tgl DESC');
You also have to execute your query after you bind the parameters, like so:您还必须在绑定参数后执行查询,如下所示:
$q->execute();.
So doing this should fix your problem:因此,这样做应该可以解决您的问题:
$pdo = Database::connect();
$q = $pdo->prepare('SELECT * FROM data WHERE id_member = :id ORDER BY tgl DESC');
$q->execute(['id'=>$id])
foreach ($q as $row) {
echo '<td>'. $row['tgl'] . '</td>';
}
It is generally better practice to use prepared statements as they prevent sql injection attacks.使用准备好的语句通常是更好的做法,因为它们可以防止 sql 注入攻击。
解决方案3
0 2015-05-29 19:52:51
Single quotes treating variables as string in your code单引号将代码中的变量视为字符串
$sql = 'SELECT * FROM data WHERE id_member = $id ORDER BY tgl DESC';
have to be不得不
$sql = "SELECT * FROM data WHERE id_member = $id ORDER BY tgl DESC";
or you will recieve $id instead of it's value;否则你会收到 $id 而不是它的价值;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.