堆栈内存溢出
  繁体   English   中英

PHP将旧的mysql_query更改为PDO

[英]PHP changing old mysql_query to PDO

 原文  2012-09-07 00:29:26       php/ mysql/ sql/ pdo

问题描述

我的代码中有一些旧的mysql_query查询,我想将其转换为PDO,但我很难开始工作。

我原来的代码是: 

mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname', lname='$lname' WHERE id='$id' AND username='$username' ")
or die(mysql_error());

现在我想: 

$sql = "UPDATE people SET price='$price', contact='$contact', fname='$fname', lname='$lname' WHERE id='$id' AND username='$username'";
$q   = $conn->query($sql) or die("failed!");

但似乎无法让它发挥作用,任何想法?

更新的代码: 

$conn = new PDO("mysql:host=$host;dbname=$db",$user,$pass);


 // check if the form has been submitted. If it has, process the form and save it to the   database
 if (isset($_POST['submit']))
 { 
 // confirm that the 'id' value is a valid integer before getting the form data
 if (is_numeric($_POST['id']))
  {
 // get form data, making sure it is valid
 $id = $_POST['id'];
 $fname = mysql_real_escape_string(htmlspecialchars($_POST['fname']));
 $lname = mysql_real_escape_string(htmlspecialchars($_POST['lname']));
 $contact = mysql_real_escape_string(htmlspecialchars($_POST['contact']));
 $price = mysql_real_escape_string(htmlspecialchars($_POST['price']));


 // check that firstname/lastname fields are both filled in
 if ($fname == '' || $lname == '' || $contact == '' || $price == '' )
 {
 // generate error message
 $error = 'ERROR: Please fill in all required fields!';

 //error, display form
 renderForm($id, $fname, $lname, $contact, $price, $error);
 }
 else
 {
 // save the data to the database
 $username = $_SESSION['username'];

 $query = "UPDATE people 
         SET price=?, 
             contact=?, 
             fname=?, 
             lname=? 
          WHERE id=? AND 
                username=?";
$stmt = $db->prepare($query);
$stmt->bindParam(1, $price);
$stmt->bindParam(2, $contact);
$stmt->bindParam(3, $fname);
$stmt->bindParam(4, $lname);
$stmt->bindParam(5, $id);
$stmt->bindParam(6, $username);    
$stmt->execute();


 // once saved, redirect back to the view page
header("Location: view.php"); 
}

4 个解决方案

解决方案1
 6 已采纳  2012-09-07 00:32:33

有关更多信息,请访问此链接: PHP PDO

根据你的例子, 

<?php

    $query = "UPDATE people 
             SET price=?, 
                 contact=?, 
                 fname=?, 
                 lname=? 
              WHERE id=? AND 
                    username=?";
    $stmt = $dbh->prepare($query);
    $stmt->bindParam(1, $price);
    $stmt->bindParam(2, $contact);
    $stmt->bindParam(3, $fname);
    $stmt->bindParam(4, $lname);
    $stmt->bindParam(5, $id);
    $stmt->bindParam(6, $username);    
    $stmt->execute();

?>

PDO准备语句和存储过程

在此输入图像描述

解决方案2
 5  2012-09-07 00:37:35

请注意,在使用PDO的mysql驱动程序时,您始终必须禁用模拟的预准备语句 

$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'pass');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$sql = 'UPDATE people SET';
$sql.= ' price = :price,';
$sql.= ' contact = :contact,';
$sql.= ' fname = :fname,';
$sq;.= ' lname = :lname';
$sql.= ' WHERE id= :id AND username = :username';

$stmt = $pdo->prepare($sql);

$stmt->execute(array(
    ':price' => $price,
    ':contact' => $contact,
    ':fname' => $fname,
    ':lname' => $lname,
    ':id' => $id,
    ':username' => $username,
));

正如你所看到的,我已经使用了命名参数,因为当你拥有很多这些参数时,你所做的事情就更加清晰了。

注意: ircmaxell目前正在努力使默认值始终使用真正准备好的语句 ,但在此之前(可能需要一段时间),您总是必须为mysql禁用它们。

解决方案3
 4  2012-09-07 00:37:54

如果您要使用PDO,则需要查看prepare()execute否则您将失去PDO提供的安全性并保留SQL注入。 所以,举个例子: 

$conn = new PDO(/*connection info*/);

$query = $conn->prepare("UPDATE people "
                      . "SET    price    = :price, "
                      . "       contact  = :contact, "
                      . "       fname    = :fname, "
                      . "       lname    = :lname "
                      . "WHERE  id       = :id "
                      . "  AND  username = :username");
$result = $query->execute(array(
  ':price'    => $price,
  ':contact'  => $contact,
  ':fname'    => $fname,
  ':lname'    => $lname,
  ':id'       => $id,
  ':username' => $username
));

这是更宽松的方式,但你也可以bindParam并明确它所期望的数据类型。

解决方案4
 4  2012-09-07 00:48:17

在使用PDO扩展时,您必须清楚几件事情,即有多种方法可以完成任务。

您目前使用的方式是其中之一,包括更多。 但是,单独绑定参数总是一个好主意,因为这可以防止SQL注入等许多问题。

其他重要的事情是statementprepareexecute 

$conn = new PDO("...."); //Creating the handler

//Create the statement
$stmt = $conn -> prepare("UPDATE people SET price = :price, contact = :contact, fname = :fname, lname = :lname WHERE id= :id AND username = :username");

// Bind the params
$stml -> bindParam(":contact", $contact, PDO::PARAM_STR); //This way you can also define the DATATYPE of the parameter

//Execute
$stmt -> execute(array(
   ":price" => $price, //another way of binding the params
   ":fname" => $fname, 
   ":lname" => $lname,
   ":id" => $id, 
   ":username" => $username));

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将旧分页mysql_query php转换为PDO PHP为mysql_query和pdo提供了不同的结果 PHP更改PDO的旧mysql 插入表VALUES-mysql_query到PDO 将PDO SQL降级到mysql_query 处理时 mysql_query 到 pdo 的转换错误 mysql_query到PDO和预处理语句 使用PDO语句代替mysql_query 从mysql_query切换到PDO的问题 将mysql_query转换为PDO语句
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM