我將如何編寫准備好的sql語句而不是使用real_escape PHP，MySQL

Question

public $id;
public $filename;
public $type;
public $size;
public $description;
public $title;

這就是我現在使用的，這很糟糕，

$sql = "INSERT INTO photographgallery 
              (filename,type,size,description,title)
    VALUES ('$sanitized_filename', '$sanitized_type', '$sanitized_size', '$sanitized_description', '$sanitized_title')"; 

我想知道我是否可以為此編寫一份准備好的聲明，我將如何處理它，我是堆棧。 救命。

Answer 1

在SQL中，使用問號占位符（ ? ）替換變量。 通過將查詢傳遞給mysqli::prepare創建mysqli_stmt ，然后通過調用mysqli_stmt::bind_param將變量綁定到占位符。 調用mysqli_stmt::execute來執行插入。 它看起來像這樣：

$sql = "INSERT INTO photographgallery 
            (filename, type, size, description, title)
          VALUES
            (?, ?, ?, ?, ?)";
$stmt = $conn->prepare($sql);
// The string 'ssiss' in the following means 'string, string, int, string, string'
//  and describes the types of the parameters.
$stmt->bind_param('ssiss', $filename, $type, $size, $description, $title);
$stmt->execute();
$stmt->close();  // always clean up after yourself

Answer 2

// Your variables, however you get them.    
$filename = "name1";
$type = "type1";
$size = 100;
$desc = "test desc";
$title = "title"

if($stmt = $mysqli->prepare("INSERT INTO photographgallery (filename, type, size, description, title) VALUES (?, ?, ?, ?, ?)") {
    $stmt->bind_param('ssiss', $filename, $type, $size, $desc, $title); //Assuming the variables are string, string, int, string, string respectively
    $stmt->execute();
    $stmt->close();
}

在代碼周圍使用if可確保僅在prepare語句沒有錯誤時才運行。 如果有錯誤，則prepare語句返回false。