[英]php - How to parametrize SQL query with multiple WHERE conditions (prepared statement)?
[英]How to convert a SQL query into a prepared statement PHP
我目前無法將下面的SQL查詢轉換為准備好的語句。
$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));
$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE $dateswitch1 AND $dateswitch2 BETWEEN StartDate AND EndDate");
例如,工作代碼$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE '2004-07-22' AND '2016-05-20' BETWEEN StartDate AND EndDate");
代碼示例:
$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));
$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE ? AND ? BETWEEN StartDate AND EndDate");
$securesqlstring->bindParam(1,$dateswitch1);
$securesqlstring->bindParam(2,$dateswitch2);
$securesqlstring->execute();
目前無法運作。
在另一個項目上工作的工作更新語句的示例我想將上面的SQL查詢轉換為類似下面的示例:
$id = $_POST["id"];
$stocklevel = $_POST["stocklevel"];
$XSS_Block1 = htmlentities ($id, ENT_QUOTES, "UTF-8");
$XSS_Block2 = htmlentities ($stocklevel, ENT_QUOTES, "UTF-8");
$conn = new PDO("mysql:host=localhost;dbname=;","","");
$mattssqlstring = $conn->prepare("UPDATE `products` SET stocklevel=stocklevel-? WHERE ID=? and stocklevel = ?");
$mattssqlstring->bindParam(1,$XSS_Block2);
$mattssqlstring->bindParam(2,$XSS_Block1);
$mattssqlstring->bindParam(3,$XSS_Block2);
$mattssqlstring->execute();
$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$securesqlstring = $secureconn->prepare("SELECT * FROM `Lateday` WHERE STR_TO_DATE(:date1,'%d-%m-%Y') AND STR_TO_DATE(:date2,'%d-%m-%Y') BETWEEN `StartDate` AND `EndDate`");
$mattssqlstring->bindParam(':date1',$XSS_BLOCK2);
$mattssqlstring->bindParam(':date2',$XSS_BLOCK3);
$securesqlstring->execute();
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.