[英]How to use SQL prepared statement in php pdo
我為sql創建了准備好的語句,可以在mysqlWorkbench中給我正確的結果,但是當我嘗試對php pdo使用相同的查詢時,它返回一個空數組 。
那么如何在php pdo中使用我准備好的語句?
這是我的代碼:
<?php
$dbh = new PDO('mysql:host=localhost;dbname=db', 'user', 'pass');
$pstmt = "set @sql = null;
select
group_concat(distinct
concat(
'MAX(IF(ch.ch_name = ''', replace(ch.ch_name, '''', '\''''), ''', v.v_value, NULL)) AS ''', replace(ch.ch_name, '''', ' ') , ''''
)
) into @sql
FROM e_champ ch
join e_champ_value v on v.v_fk_champ_id = ch.ch_id
join e_collecte c on c.c_id = v.v_fk_collecte_id
AND c.c_id = 2;
set @sql = concat('select oi.oi_id, ', @sql, ' from e_order_item oi
left join e_champ_value v on v.v_fk_order_item_id = oi.oi_id
join e_champ ch on ch.ch_id = v.v_fk_champ_id
join e_collecte c on c.c_id = v.v_fk_collecte_id
AND c.c_id = 2 GROUP BY oi_id');
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;";
$sth = $dbh->prepare($pstmt);
$sth->execute();
/* Fetch all of the remaining rows in the result set */
print("Fetch all of the remaining rows in the result set:\n");
$result = $sth->fetchAll();
print_r($result);
?>
您的“ prepared”語句很容易進行SQL注入。
因為您不是在為真實查詢做准備,而是只是模仿一條准備好的語句,而實際上卻使用相同的舊臟連接和手動轉義。
因此,在您的情況下,沒有唯一的原因使用SQL准備語句。
無論如何,要回答標題中的問題,運行任何 sql查詢(無論是否使用SQL預准備語句),都必須使用query()
方法, 在單獨的query()
調用中運行單獨的SQL查詢。
我找到了可以給我正確結果的解決方案。
我在數據庫中創建一個存儲過程,然后在php pdo中調用它。
DELIMITER $$
CREATE PROCEDURE GetResult()
BEGIN
set @sql = null;
select
group_concat(distinct
concat(
'MAX(IF(ch.ch_name = ''', replace(ch.ch_name, '''', '\''''), ''', v.v_value, NULL)) AS ''', replace(ch.ch_name, '''', ' ') , ''''
)
) into @sql
FROM e_champ ch
join e_champ_value v on v.v_fk_champ_id = ch.ch_id
join e_collecte c on c.c_id = v.v_fk_collecte_id
AND c.c_id = 2;
set @sql = concat('select oi.oi_id, ', @sql, ' from e_order_item oi
left join e_champ_value v on v.v_fk_order_item_id = oi.oi_id
join e_champ ch on ch.ch_id = v.v_fk_champ_id
join e_collecte c on c.c_id = v.v_fk_collecte_id
AND c.c_id = 2 GROUP BY oi_id');
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END$$
// PHP代碼
<?php
$dbh = new PDO('mysql:host=localhost;dbname=db', 'user', 'pass');
$pstmt = "call GetResult()";
$sth = $dbh->prepare($pstmt);
$sth->execute();
/* Fetch all of the remaining rows in the result set */
print("Fetch all of the remaining rows in the result set:\n");
$result = $sth->fetchAll();
print_r($result);
?>
這是有關php preapared語句和存儲過程的鏈接http://php.net/manual/zh/pdo.prepared-statements.php
看看是否有幫助:
$conn = new PDO('mysql:host=localhost;dbname=tabela_nome','user','pass');
try{
$select= "SELECT * from user_ WHERE email=:'email@email.com'";
$result = $conn->prepare($select);
$result->execute();
} catch(PDOException $e){
echo $e->getMessage();
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.