本文介绍了使用 PHP 的 PDO 扩展来实现安全的数据库交互方法,包括如何使用 quote() 方法预防 SQL 注入,预处理语句的不同方式,以及如何使用 bindParam(), bindValue() 和 bindColumn() 方法来绑定参数。
一、quote()方法防止SQL注入
<?php
header('content-type:text/html;cahrset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbanme=my_db','root','');
//$pdo->quote($username);
//$sql="select * from user where username='{$username}' and password='{$password}'";
//echo $sql;
//通过quote():返回带引号的字符串,过滤字符串中你的特殊字符
$username=$pdo->quote($username);
$sql="select * from user where username={$username} and password='{$password}'";
echo $sql;
$stmt=$pdo->qurey($sql);
//PDOStatement对象的方法:rouCount():对于select操作返回的结果集中记录的条数,
//对于INSERT\UPDATE\DELECT返回受影响的记录的条数
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>二、预处理语句中占位符的使用
1、通过quote():返回带引号的字符串,过滤字符串中你的特殊字符
<?php
header('content-type:text/html;cahrset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbanme=my_db','root','');
//$pdo->quote($username);
//$sql="select * from user where username='{$username}' and password='{$password}'";
//echo $sql;
//通过quote():返回带引号的字符串,过滤字符串中你的特殊字符
$username=$pdo->quote($username);
$sql="select * from user where username={$username} and password='{$password}'";
echo $sql;
$stmt=$pdo->qurey($sql);
//PDOStatement对象的方法:rouCount():对于select操作返回的结果集中记录的条数,
//对于INSERT\UPDATE\DELECT返回受影响的记录的条数
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>2、:username/:password 作为占位符进行预处理
<?php
header('content-type:text/html;charset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql="select * from user where username=:username and password=:password";
$stmt=$pdo->prepare($sql);
$stmt->excute(array(":username"=>$username,":password"=>$password));
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>3、? 作为占位符进行预处理
<?php
header('content-type:text/html;charset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql="select * from user where username=? and password=?";
$stmt=$pdo->prepare($sql);
$stmt->excute(array($username,$password));
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>三、bindParam()方法绑定参数
1、绑定一个PHP变量到用作预处理的SQL语句中的对应命名占位符
<?php
header('content-type:text/html;cahrset=utf-8');
try {
$pdo = new PDO('mysql:host=localhost;dbanme=my_db', 'root', '');
$sql="INSERT user(username,password,email)Values(:username,:password,:email)";
$stmt-=$pdo->prepare($sql);
$stmt->bindParam(":username",$username,PDO::PARAM_STR);
$stmt->bindParam(":password",$password,PDO::PARAM_STR);
$stmt->bindParam(":email",$email);
$username='zzc';
$password='zzc';
$email='zzc@qq.com';
$stmt->excute();
$username='jason';
$password='jaosn';
$email='jason@qq.com';
$stmt->excute();
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>2、绑定一个PHP变量到用作预处理的SQL语句中的对应问号占位符
(对于使用问号占位符的预处理语句,应是以1开始索引的参数位置。)
<?php
header('content-type:text/html;cahrset=utf-8');
try {
$pdo = new PDO('mysql:host=localhost;dbanme=my_db', 'root', '');
$sql="INSERT user(username,password,email)Values(?,?,?)";
$stmt-=$pdo->prepare($sql);
$stmt->bindParam(1,$username);
$stmt->bindParam(2,$password);
$stmt->bindParam(3,$email);
$username='THIS IS A TEST';
$password='THIS IS A TEST';
$email='test@qq.com';
$stmt->excute();
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>四、bindValue()方法绑定参数
1、绑定一个值到用作预处理的 SQL 语句中的对应命名占位符
<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=imooc','root','');
$sql='INSERT user(username,password,email) VALUES(:username,:password,:email)';
$stmt=$pdo->prepare($sql);
$username='zzc11';
$password='zzc11';
$stmt->bindValue(':username',$username);
$stmt->bindValue(':password',$password);
$stmt->bindValue(':email','zzc11@qq.com');
$stmt->execute();
echo $stmt->rowCount();
$username='zzc22';
$password='zzc22';
$stmt->bindValue(':username',$username);
$stmt->bindValue(':password',$password);
$stmt->bindValue(':email','zzc22@qq.com');
$stmt->execute();
echo $stmt->rowCount();
}catch(PDOException $e){
echo $e->getMessage();
}
?>2、绑定一个值到用作预处理的 SQL 语句中的对应问号占位符
<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='INSERT user(username,password,email) VALUES(?,?,?)';
$stmt=$pdo->prepare($sql);
$username='zzc';
$password='zzc';
$stmt->bindValue(1,$username);
$stmt->bindValue(2,$password);
$stmt->bindValue(3,'123456@qq.com');
$stmt->execute();
echo $stmt->rowCount();
$username='zzc1';
$password='zzc1';
$stmt->bindValue(1,$username);
$stmt->bindValue(2,$password);
$stmt->execute();
echo $stmt->rowCount();
}catch(PDOException $e){
echo $e->getMessage();
}
?>五、bindColumn()方法绑定参数
<?php
header('content-type:text/html;charset=utf-8');
try
{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='SELECT username,password,email FROM user';
$stmt=$pdo->prepare($sql);
$stmt->execute();
echo '结果集中的列数一共有:'.$stmt->columnCount();
echo '<hr/>';
print_r($stmt->getColumnMeta(0));
echo '<hr/>';
$stmt->bindColumn(1, $username);
$stmt->bindColumn(2,$password);
$stmt->bindColumn(3, $email);
while($stmt->fetch(PDO::FETCH_BOUND)){
echo '用户名:'.$username.'-密码:'.$password.'-邮箱:'.$email.'<hr/>';
}
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>六、fetchColumn()方法从结果集中返回一列
<?php
header('content-type:text/html;charset=utf-8');
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='SELECT username,password,email FROM user';
$stmt=$pdo->query($sql);
echo $stmt->fetchColumn(0),'<br/>';
echo $stmt->fetchColumn(1),'<br/>';
echo $stmt->fetchColumn(2);
}catch(PDOException $e){
echo $e->getMessage();
}
?>Warning:使用PDOStatement::fetchColumn()取回数据,则没办法返回同一行的另外一列。
七、debugDumpParams()方法打印一条预处理语句
<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='INSERT user(username,password,email) VALUES(?,?,?)';
$stmt=$pdo->prepare($sql);
$stmt->bindParam(1, $username,PDO::PARAM_STR);
$stmt->bindParam(2,$password,PDO::PARAM_STR);
$stmt->bindParam(3,$email,PDO::PARAM_STR);
$username='testParam';
$password='testParam';
$email='testParam@qq.com';
$stmt->execute();
$stmt->debugDumpParams();
}catch(PDOException $e){
echo $e->getMessage();
}
?><?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='SELECT * FROM user WHERE username=:username AND password=:password';
$stmt=$pdo->prepare($sql);
$stmt->bindParam(':username', $username,PDO::PARAM_STR);
$stmt->bindParam(':password',$password,PDO::PARAM_STR);
$username='testParam';
$password='testParam';
$stmt->execute();
$stmt->debugDumpParams();
}catch(PDOException $e){
echo $e->getMessage();
}
?>八、nextRowset()方法将结果集中指针下移
“test1.sql”
CREATE TABLE IF NOT EXISTS userAccount(
id TINYINT UNSIGNED AUTO_INCREMENT KEY,
username VARCHAR(20) NOT NULL UNIQUE,
money DECIMAL(10,2)
)ENGINE=INNODB;
INSERT userAccount(username,money) VALUES('zzc',10000),('jason',5000);
DELIMITER //
CREATE PROCEDURE test1()
BEGIN
SELECT * FROM user;
SELECT * FROM userAccount;
END
//
DELIMITER ;
CREATE TABLE test2(
);<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='call test1()';
$stmt=$pdo->query($sql);
$rowset=$stmt->fetchAll(PDO::FETCH_ASSOC);
print_r($rowset);
echo '<hr color="red"/>';
$stmt->nextRowset();
$rowset=$stmt->fetchAll(PDO::FETCH_ASSOC);
print_r($rowset);
}catch(PDOException $e){
echo $e->getMessage();
}
?>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
