PHP预备语句　使用绑定的输入变量的一个数据处理查询的例子

最新推荐文章于 2024-03-28 19:39:20 发布

esanweb

最新推荐文章于 2024-03-28 19:39:20 发布

阅读量261

点赞数

CC 4.0 BY-SA版权

分类专栏： php 文章标签： php mysql

本文链接：https://blog.youkuaiyun.com/esanweb/article/details/105985074

php 专栏收录该内容

11 篇文章

订阅专栏

本文演示了如何使用PHP的mysqli扩展进行SQL预处理和参数绑定，通过创建alfas表并插入多条记录，展示了如何使用prepare和bind_param方法有效防止SQL注入。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

<?php
//$conn = mysqli_connect("localhost","root","root","world");
$conn = new mysqli("localhost","root","root","world");

//var_dump($conn);

$conn->query("CREATE TABLE alfas (year INTEGER, model VARCHAR(50), accel REAL)");

$stmt = $conn->prepare("INSERT INTO alfas VALUES(?, ?, ?) ");
var_dump($stmt);

$stmt->bind_param("isd", $year, $model, $accel);

$year = 2001;
$model = '156 2.0 Selespeed';
$accel = 8.6;
$stmt->execute();

$year = 2003;
$model = '147 2.0 Selespeed';
$accel = 9.3;
$stmt->execute();

$year = 2004;
$model = '156 GTA Sportwagon';
$accel = 6.3;
$stmt->execute();

执行结果：

object(mysqli_stmt)[2]
  public 'affected_rows' => int 0
  public 'insert_id' => int 0
  public 'num_rows' => int 0
  public 'param_count' => int 3
  public 'field_count' => int 0
  public 'errno' => int 0
  public 'error' => string '' (length=0)
  public 'error_list' => 
    array (size=0)
      empty
  public 'sqlstate' => string '00000' (length=5)
  public 'id' => int 1

注意是先有prepare，？占位，然后是bind_param,接下来才是给占位的各个变量赋值，最后是execute，后两步可多次执行．关于bind_param的第一个参数，可以参考以下文档：

/**
 * Binds variables to a prepared statement as parameters
 * @link http://php.net/manual/en/mysqli-stmt.bind-param.php
 * @param string $types <p>
 * A string that contains one or more characters which specify the types
 * for the corresponding bind variables:
 * <table>
 * Type specification chars
 * <tr valign="top">
 * <td>Character</td>
 * <td>Description</td>
 * </tr>
 * <tr valign="top">
 * <td>i</td>
 * <td>corresponding variable has type integer</td>
 * </tr>
 * <tr valign="top">
 * <td>d</td>
 * <td>corresponding variable has type double</td>
 * </tr>
 * <tr valign="top">
 * <td>s</td>
 * <td>corresponding variable has type string</td>
 * </tr>
 * <tr valign="top">
 * <td>b</td>
 * <td>corresponding variable is a blob and will be sent in packets</td>
 * </tr>
 * </table>
 * </p>
 * @param mixed $var1 <p>
 * The number of variables and length of string
 * types must match the parameters in the statement.
 * </p>
 * @param mixed $_ [optional]
 * @return bool true on success or false on failure.
 * @since 5.0
 */
public function bind_param ($types, &$var1, &$_ = null) {}

示例中取"isd"，指示后面的３个变量分别是整形integer，字符串型string，双精度浮点型double