如何在分开的MySQL查询中使用预准备语句

huangapple go评论58阅读模式
英文:

How to use prepared statement for separated mysql query

问题

我有点困惑如何在这里使用预处理语句。我尝试了,但失败了,因为我的查询被分开。

$q = "SELECT * FROM report WHERE 1";

if(isset($_GET['name']) && !empty($_GET['name'])){

 $name = $_GET['name'];

 $q .= " AND user = '$name'";
}

if(isset($_GET['category']) && !empty($_GET['category'])){

 $category = $_GET['category'];

 $q .= " AND category = '$category'";        
}

$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$all = $conn->query($q);

我尝试了这个,但它搞乱了,不起作用。

$q = $conn->prepare("SELECT * FROM report WHERE 1");

if(isset($_GET['name']) && !empty($_GET['name'])){

 $name = $_GET['name'];

 $q .= " AND user = ?";
}

if(isset($_GET['category']) && !empty($_GET['category'])){

 $category = $_GET['category'];

 $q .= " AND category = ?";        
}

$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$q->bind_param('ss', $name, $category);
$q->execute();
$all = $q->get_result();

希望这对你有帮助。

英文:

I am little confuse how to use prepare statement in this. i tried but failed as my query is separated.

$q = "SELECT * FROM report WHERE 1";

if(isset($_GET['name']) && !empty($_GET['name'])){

 $name = $_GET['name'];

 $q .= " AND user ='$name'";
}

if(isset($_GET['category']) && !empty($_GET['category'])){

 $category = $_GET['category'];

 $q .= " AND category ='$category'";        
}

$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$all = $conn->query($q);

I have tried this but it messed up and dosenot work.

$q = $conn->prepare("SELECT * FROM report WHERE 1");

if(isset($_GET['name']) && !empty($_GET['name'])){

 $name = $_GET['name'];

 $q .= " AND user = ?";
}

if(isset($_GET['category']) && !empty($_GET['category'])){

 $category = $_GET['category'];

 $q .= " AND category = ?";        
}

$q .= " ORDER BY report.id desc LIMIT $offset, $no_of_records_per_page";
$q->bind_param('ss', $name, $category);
$q->execute();
$all = $q->get_result();

答案1

得分: 2

以下是翻译好的部分:

这是我使用准备好的语句(使用PDO)编写的代码:

$terms = [];
$params = [];

if($user = $_GET['name'] ?? null) {
  $terms[] = "user = ?";
  $params[] = $user;
}

if($category = $_GET['category'] ?? null) {
  $terms[] = "category = ?";
  $params[] = $category;
}

$where = '';

if ($terms) {
  $where = "WHERE " . implode(" AND ", $terms);
}

$q = "SELECT * FROM report $where 
  ORDER BY report.id desc 
  LIMIT $no_of_records_per_page OFFSET $offset";

$stmt = $conn->prepare($q);

$stmt->execute($params);

我假设`$offset``$no_of_records_per_page`不来自不安全的源。如果它们在您的代码中使用字面值设置,那么可以直接在查询中使用它们。

关于您的评论:

PHP的[]运算符可以向数组添加一个元素。如果添加的是一个数组,那么它将成为嵌套数组。

您可以以几种方式向数组追加多个元素。可以逐个添加:

$params[] = $from_date;
$params[] = $to_date;

或者使用内置数组函数,例如以下任一解决方案:

$params = array_push($params, $from_date, $to_date);

$params = array_merge($params, [$from_date, $to_date]);

或者在PHP 7.4及更高版本中,您可以这样组合数组:

$params = [...$params, $from_date, $to_date];
英文:

Here's how I'd code it using a prepared statement (using PDO):

$terms = [];
$params = [];

if($user = $_GET['name'] ?? null) {
  $terms[] = "user = ?";
  $params[] = $user;
}

if($category = $_GET['category'] ?? null) {
  $terms[] = "category = ?";
  $params[] = $category;
}

$where = '';

if ($terms) {
  $where = "WHERE " . implode(" AND ", $terms);
}

$q = "SELECT * FROM report $where 
  ORDER BY report.id desc 
  LIMIT $no_of_records_per_page OFFSET $offset";

$stmt = $conn->prepare($q);

$stmt->execute($params);

I assume $offset and $no_of_records_per_page are not from an unsafe source. If they are set using literals in your code, they're safe to use directly in the query.


Re your comment:

PHP's [] operator can add just one element to the array. If the thing you add is an array, that becomes a nested array.

You can append multiple elements to the array in a couple of ways. Either one at a time:

$params[] = $from_date;
$params[] = $to_date;

Or use builtin array functions, like either of these solutions:

$params = array_push($params, $from_date, $to_date);

$params = array_merge($params, [$from_date, $to_date]);

Or in PHP 7.4 and later, you can combine arrays this way:

$params = [...$params, $from_date, $to_date];

huangapple
  • 本文由 发表于 2023年4月4日 13:46:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/75925864.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定