为什么带有命名参数的查询返回空白结果?
[英]Why does my query with named parameters return a blank result?
问题描述
I am converting my MySQL code over to PDO to take advantage of prepared statements. 
我将我的MySQL代码转换为PDO,以利用准备好的语句。 I was originally getting a fatal error as described in this question . 如本问题所述,我最初遇到了致命错误。 I had solved that issue, but it brought up more problems when trying to add parameters. 我已经解决了该问题,但是在尝试添加参数时出现了更多问题。
The code I am trying to get working is: 我试图开始工作的代码是:
include ("foo/bar.php");
try {
$DBH = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
}
catch(PDOException $e) {
echo $e->getMessage();
}
$mydate=date("Y-m-d",strtotime("-3 months"));
$foo_query=$DBH->prepare("SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body FROM BarTable WHERE postdate = :postdate AND postdate > '$mydate' ORDER BY postdate DESC");
$foo_query->execute( array('postdate' => $_REQUEST['postdate']) );
$DBH=null;
In English, this is meant to read " take the current date and set it back 3 months calling it $mydate, then select all of those fields (also taking the first 20 words of the body and calling it 'preview_text') from my table where the postdate is equal to the parameter postdate and where postdate is greater than $mydate ". 用英语,这意味着从我的表中读取“ 获取当前日期并将其设置回3个月,将其命名为$ mydate,然后选择所有这些字段(也获取正文的前20个单词,并将其命名为'preview_text')其中postdate等于参数postdate,并且postdate大于$ mydate “。
I am then displaying the results in the following (note this is now abridged): 然后,我在下面显示结果(请注意,现在将其删节):
$foo_query->setFetchMode(PDO::FETCH_ASSOC);
while($r=$foo_query->fetch()) {
echo $r["id"];
echo $r["title"];
echo date("d-M-Y",strtotime($r["postdate"]));
echo nl2br ($r["preview_text"]); }
Now, while the SELECT query is written as: 现在,虽然SELECT查询写为:
("SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body FROM BarTable WHERE postdate > '$mydate' ORDER BY postdate DESC")
...it displays exactly what I need it to, but of course while this is prepared, it contains no parameters so only achieves 50% of the goal. ...它完全显示了我需要的东西,但是当然,在准备过程中,它不包含任何参数,因此只能达到目标的50%。
I was under the impression the way of preparing the statement that I outlined initially would be fine as per the tutorials and advice I have already been given. 根据给我的教程和建议,给我的印象是,准备我最初概述的陈述的方式会很好。
I have tried to print my error and it brings up no error. 我尝试打印我的错误,但没有出现错误。 I manually sent the query as follows and get no returns. 我按如下方式手动发送了查询,但没有得到任何回报。 Note I have tried the date strings in all manner of permutations: 注意我已经尝试了各种排列方式的日期字符串:
("SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body FROM BarTable WHERE postdate = 20121001 AND postdate > 20120701 ORDER BY postdate DESC")
EDIT: The above was pointed out as incorrect but I will keep it here for reference as this section is explained in the comments below. 编辑:上面指出的是不正确的,但我将其保留在这里以供参考,因为本节在下面的注释中进行了解释。
EDIT: Manually sending the query now displays correctly when typing: 编辑:手动发送查询现在键入时正确显示:
("SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body FROM BarTable WHERE postdate = '2012-09-30 08:38:23' ORDER BY postdate DESC")
The query does not display at all when typing any of the following: 键入以下任意一项时,查询根本不会显示:
("SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body FROM BarTable WHERE postdate = :postdate ORDER BY postdate DESC")
("SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body FROM BarTable WHERE postdate = :postdate AND postdate > '$mydate' ORDER BY postdate DESC")
("SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body FROM BarTable WHERE postdate = '2012-09-30 08:38:23' AND postdate > '2012-07-01 00:01' ORDER BY postdate DESC")
I am thinking that I should bind the parameter in some way, but the tutorials I've read do not specifically say that I should always bind them - I'm unsure of how to proceed. 我认为我应该以某种方式绑定参数,但是我阅读的教程并未明确指出我应该始终绑定它们-我不确定如何进行。
EDIT : I have looked to bind the statement as follows with no success. 编辑:我一直试图将语句绑定如下,但没有成功。 The query seemingly ignores the bind so the state of the query acts as all of the above permutations without binding: 该查询似乎忽略了绑定,因此查询状态充当上述所有未绑定的排列:
$foo_query->bindParam (
":postdate", strtotime ( $_REQUEST['postdate']), PDO::PARAM_INT);
$foo_query->execute();
What am I doing wrong, that isn't happening when I don't add parameters? 我在做什么错,当我不添加参数时不会发生这种情况? Should I be declaring the :postdate parameter somewhere other than in the SELECT query? 我应该在SELECT查询之外的其他地方声明:postdate参数吗?
For the purposes of preventing SQL injection I would like to use named parameters as well as preparing the statement, but if I can't figure it out then I will just have to not used named parameters. 为了防止SQL注入,我想使用命名参数以及准备语句,但是如果我无法弄清楚,那么我将不得不不使用命名参数。
1 个解决方案
解决方案1
1 已采纳 2012-10-02 15:40:02
When using parameter through a array, you are binding with the default parameter type PDO::PARAM_STR 通过数组使用参数时,将绑定默认参数类型PDO::PARAM_STR
Dependending on the datatype: 取决于数据类型:
- The MySQL timestamp data-type: it's the same, you'll pass it as a string MySQL时间戳数据类型:相同,您将其作为字符串传递
- The PHP Unix timestamp, which is an integer: you'll pass it an int. PHP Unix时间戳,它是一个整数:您将为它传递一个int值。
I suggest you change your code like this: 我建议您像这样更改代码:
$foo_query=$DBH->prepare(
"SELECT id, postdate, title, SUBSTRING_INDEX(body,' ',20) as preview_text, body
FROM BarTable WHERE postdate = :postdate
ORDER BY postdate DESC");
$foo_query->bindParam (
":postdate", strtotime ( $_REQUEST['postdate']), PDO::PARAM_INT);
// ^^^ bind as integer
$foo_query->execute();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.