英文:
How to use prepared statement for separated mysql query
问题
我有点困惑如何在这里使用预处理语句。我尝试了,但失败了,因为我的查询被分开。
$q = "SELECT * FROM report WHERE 1";
if(isset($_GET['name']) && !empty($_GET['name'])){
$name = $_GET['name'];
$q .= " AND user = '$name'";
}
if(isset($_GET['category']) && !empty($_GET['category'])){
$category = $_GET['category'];
$q .= " AND category = '$category'";
}
$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$all = $conn->query($q);
我尝试了这个,但它搞乱了,不起作用。
$q = $conn->prepare("SELECT * FROM report WHERE 1");
if(isset($_GET['name']) && !empty($_GET['name'])){
$name = $_GET['name'];
$q .= " AND user = ?";
}
if(isset($_GET['category']) && !empty($_GET['category'])){
$category = $_GET['category'];
$q .= " AND category = ?";
}
$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$q->bind_param('ss', $name, $category);
$q->execute();
$all = $q->get_result();
希望这对你有帮助。
英文:
I am little confuse how to use prepare statement in this. i tried but failed as my query is separated.
$q = "SELECT * FROM report WHERE 1";
if(isset($_GET['name']) && !empty($_GET['name'])){
$name = $_GET['name'];
$q .= " AND user ='$name'";
}
if(isset($_GET['category']) && !empty($_GET['category'])){
$category = $_GET['category'];
$q .= " AND category ='$category'";
}
$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$all = $conn->query($q);
I have tried this but it messed up and dosenot work.
$q = $conn->prepare("SELECT * FROM report WHERE 1");
if(isset($_GET['name']) && !empty($_GET['name'])){
$name = $_GET['name'];
$q .= " AND user = ?";
}
if(isset($_GET['category']) && !empty($_GET['category'])){
$category = $_GET['category'];
$q .= " AND category = ?";
}
$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$q->bind_param('ss', $name, $category);
$q->execute();
$all = $q->get_result();
答案1
得分: 2
以下是翻译好的部分:
这是我使用准备好的语句(使用PDO)编写的代码:
$terms = [];
$params = [];
if($user = $_GET['name'] ?? null) {
$terms[] = "user = ?";
$params[] = $user;
}
if($category = $_GET['category'] ?? null) {
$terms[] = "category = ?";
$params[] = $category;
}
$where = '';
if ($terms) {
$where = "WHERE " . implode(" AND ", $terms);
}
$q = "SELECT * FROM report $where
ORDER BY report.id desc
LIMIT $no_of_records_per_page OFFSET $offset";
$stmt = $conn->prepare($q);
$stmt->execute($params);
我假设`$offset`和`$no_of_records_per_page`不来自不安全的源。如果它们在您的代码中使用字面值设置,那么可以直接在查询中使用它们。
关于您的评论:
PHP的[]运算符可以向数组添加一个元素。如果添加的是一个数组,那么它将成为嵌套数组。
您可以以几种方式向数组追加多个元素。可以逐个添加:
$params[] = $from_date;
$params[] = $to_date;
或者使用内置数组函数,例如以下任一解决方案:
$params = array_push($params, $from_date, $to_date);
$params = array_merge($params, [$from_date, $to_date]);
或者在PHP 7.4及更高版本中,您可以这样组合数组:
$params = [...$params, $from_date, $to_date];
英文:
Here's how I'd code it using a prepared statement (using PDO):
$terms = [];
$params = [];
if($user = $_GET['name'] ?? null) {
$terms[] = "user = ?";
$params[] = $user;
}
if($category = $_GET['category'] ?? null) {
$terms[] = "category = ?";
$params[] = $category;
}
$where = '';
if ($terms) {
$where = "WHERE " . implode(" AND ", $terms);
}
$q = "SELECT * FROM report $where
ORDER BY report.id desc
LIMIT $no_of_records_per_page OFFSET $offset";
$stmt = $conn->prepare($q);
$stmt->execute($params);
I assume $offset and $no_of_records_per_page are not from an unsafe source. If they are set using literals in your code, they're safe to use directly in the query.
Re your comment:
PHP's [] operator can add just one element to the array. If the thing you add is an array, that becomes a nested array.
You can append multiple elements to the array in a couple of ways. Either one at a time:
$params[] = $from_date;
$params[] = $to_date;
Or use builtin array functions, like either of these solutions:
$params = array_push($params, $from_date, $to_date);
$params = array_merge($params, [$from_date, $to_date]);
Or in PHP 7.4 and later, you can combine arrays this way:
$params = [...$params, $from_date, $to_date];
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论