使用准备好的语句对插入内容进行消毒
[英]Sanitizing insert with prepared statements
问题描述
I have this snippet where I'm trying to insert large set of data to MySQL database. 
我有一个片段,试图将大量数据插入MySQL数据库。
$file = fopen($filename, "r");
while (($emapData = fgetcsv($file, 10000, ",")) !== FALSE)
{
$sql = "INSERT into universe (`zone`, `area`, `sub`) values('$emapData[0]','$emapData[1]','$emapData[2]')";
}
I tried 'preparing' the data prior to the insert and made an attempt to sanitize, 我尝试在插入之前“准备”数据并尝试进行清理,
$file = fopen($filename, "r");
while (($emapData = fgetcsv($file, 10000, ",")) !== FALSE)
{
$sql = $conn->prepare ("INSERT into universe (`zone`, `area`, `sub`) values(?,?,?)");
$sql = bind_param("sss", '$emapData[0]','$emapData[1]','$emapData[2]');
}
And this gives me an error : 这给了我一个错误:
Uncaught Error: Call to undefined function bind_param()
Where and how do you suggest that I define bind_param earlier? 您在哪里以及如何建议我更早地定义bind_param ? Thank you. 谢谢。
1 个解决方案
解决方案1
1 已采纳 2018-09-01 11:01:10
You aren't far from the expected result. 您离预期的结果不远。
bind_param() is a method from the mysqli_stmt class. bind_param()是mysqli_stmt类的方法。 You get an instance of this class when doing $sql = $conn->prepare(...); 在执行$sql = $conn->prepare(...);时,会得到该类的实例$sql = $conn->prepare(...);
All you have to do is to call that function from the $sql object. 您要做的就是从$sql对象调用该函数。
By the way, you don't have to wrap $emapData[x] into single quotes. 顺便说一句,您不必将$emapData[x]包装在单引号中。
$sql = $conn->prepare("INSERT into universe (`zone`, `area`, `sub`) values(?, ?, ?)");
$sql->bind_param("sss", $emapData[0], $emapData[1], $emapData[2]);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.