PDOStatement->bindParam SQL语句参数绑定

最新推荐文章于 2023-12-27 14:23:55 发布
原创 最新推荐文章于 2023-12-27 14:23:55 发布 · 4.6k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#sql #parameters #postgresql #email #concatenation #insert

本文详细介绍了PDOStatement::bindParam函数的使用方法,包括如何将PHP变量绑定到SQL语句的参数中,支持的参数类型及如何处理输入输出参数等。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

PDOStatement->bindParam

(PHP 5 >= 5.1.0, PECL pdo >= 0.1.0)

PDOStatement->bindParamBinds a parameter to the specified variable name

Description

bool PDOStatement::bindParam ( mixed $parameter , mixed &$variable [, int $data_type [, int $length [, mixed $driver_options ]]] )

Binds a PHP variable to a corresponding named or question mark placeholder in the SQL statement that was use to prepare the statement. Unlike PDOStatement::bindValue(), the variable is bound as a reference and will only be evaluated at the time that PDOStatement::execute() is called.

Most parameters are input parameters, that is, parameters that are used in a read-only fashion to build up the query. Some drivers support the invocation of stored procedures that return data as output parameters, and some also as input/output parameters that both send in data and are updated to receive it.

Parameters

 

parameter

Parameter identifier. For a prepared statement using named placeholders, this will be a parameter name of the form :name. For a prepared statement using question mark placeholders, this will be the 1-indexed position of the parameter.

variable

Name of the PHP variable to bind to the SQL statement parameter.

data_type

Explicit data type for the parameter using the PDO::PARAM_* constants. Defaults to PDO::PARAM_STR. To return an INOUT parameter from a stored procedure, use the bitwise OR operator to set the PDO::PARAM_INPUT_OUTPUT bits for the data_type parameter.

length

Length of the data type. To indicate that a parameter is an OUT parameter from a stored procedure, you must explicitly set the length.

driver_options

 

 

Return Values

Returns TRUE on success or FALSE on failure.

Examples

Example #1 Execute a prepared statement with named placeholders

<?php
/* Execute a prepared statement by binding PHP variables */
$calories 150;
$colour 'red';
$sth $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories'$caloriesPDO::PARAM_INT);
$sth->bindParam(':colour'$colourPDO::PARAM_STR12);
$sth->execute();
?>

Example #2 Execute a prepared statement with question mark placeholders

<?php
/* Execute a prepared statement by binding PHP variables */
$calories 150;
$colour 'red';
$sth $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < ? AND colour = ?');
$sth->bindParam(1$caloriesPDO::PARAM_INT);
$sth->bindParam(2$colourPDO::PARAM_STR12);
$sth->execute();
?>

Example #3 Call a stored procedure with an INOUT parameter

<?php
/* Call a stored procedure with an INOUT parameter */
$colour 'red';
$sth $dbh->prepare('CALL puree_fruit(?)');
$sth->bindParam(1$colourPDO::PARAM_STR|PDO::PARAM_INPUT_OUTPUT12);
$sth->execute();
print("After pureeing fruit, the colour is: $colour");
?>

See Also

 

 


PDOStatement->bindValue> <PDOStatement->bindColumn
Last updated: Fri, 06 Mar 2009
 
add a note add a note User Contributed Notes
 PDOStatement->bindParam
Alex
20-Sep-2008 10:00
trying to use:

<?php
....

$sql = 'select * from mytable where id in(:ids)';
$stmt->bindParam(':ids', '1,2,3,4');
....

?>

will fail.
ivanov at abv dot bg
18-Sep-2008 09:16
@bjornie at nowhere

You could do the concatenation in the query itself like this:

$stmt = $pdh->prepare("SELECT id, uname FROM tbl WHERE uname LIKE '%'||:uname||'%'");

.......
chance garcia
18-Aug-2008 02:09
@charlie smith

That behavior is expected since you are binding named parameters outside of your loop.  to achieve your desired results:

<?php
    $query = 'INSERT INTO pdotest SET storeid = :storeid, testid = :testid';
    $statement = $con->prepare($query);
foreach ($result as $row) {
    $statement->bindParam(':storeid',$row['storeid']);
    $statement->bindParam(':testid',$row['testid']);
    $statement->execute();

}
?>
Charlie Smith
21-Apr-2008 06:30
$result[] = array(
  'storeid' => '1',
  'testid' => '101'
);
$result[] = array(
  'storeid' => '2',
  'testid' => '102'
);

print_r($result);
$row['storeid'] = '9';
$row['testid'] = '900';
$query = 'INSERT INTO pdotest SET storeid = :storeid, testid = :testid';
$statement = $dbconnection->prepare($query);
$statement->bindParam(':storeid',$row['storeid']);
$statement->bindParam(':testid',$row['testid']);
foreach ($result as $row) {
    $statement->execute();

}

Will insert 9,900 twice not the intended result of:
1,101
2,102
phil[AT]papg[DOT]net
12-Mar-2008 06:04
Building on from previous comment by Sam Bou...

bindParam() can be used in a loop like this:

<?php

...

$stmt = $db->prepare("INSERT INTO users (email) VALUES (:email)");
$stmt->bindParam(':email', $val, PDO::PARAM_STR);

foreach($emails as $val) $stmt->execute();

?>
Sam Bou
01-Dec-2007 10:56
If you're using bindParam in a loop such as this:

$counter=1;
foreach($email as $val){
               $stmt->bindParam($counter, $val, PDO::PARAM_STR);
               $counter++;
}

It will fail because $val is local and the variable is bound as a reference and will only be evaluated at the time that PDOStatement->execute() is called.

So use bindValue instead.
xzilla at users dot sourceforge dot net
13-Sep-2007 03:07
currently this is not supported in the PostgreSQL driver either, though AIUI this is supported in the PostgreSQL C API, so it could be added.
bjornie at nowhere
12-Aug-2007 03:34
I can't use wildcards in my prepared statements, using it like follows:

    $stmt = $pdh->prepare("SELECT id, uname FROM tbl WHERE uname LIKE :uname OR email LIKE :email OR firstname LIKE :fn OR lastname LIKE :ln");
    $un = "%" . $un . "%";
    $em = "%" . $em . "%";
    $fn = "%" . $fn . "%";
    $ln = "%" . $ln . "%";
    $stmt->bindParam(":uname", $un);
    $stmt->bindParam(":email", $em);
    $stmt->bindParam(":fn", $fn);
    $stmt->bindParam(":ln", $ln);

This is not giving me any error messages or exceptions, it's just not returning any rows. (And there are rows matching the query...)

Running PHP5.2.3, MySQL5.0.45 and Apache2.2.4 in Windows.
jeffwa+php at gmail dot com
11-Jul-2007 08:49
Took me forever to find this elsewhere in the notes in the manual, so I'd thought I'd put this tidbit here to help others in the future.

When using a LIKE search in MySQL along with a prepared statement, the *value* must have the appropriate parentheses attached before the bindParam() statement as such:

<?php
$dbc = $GLOBALS['dbc'];
$sql = "SELECT * FROM `tbl_name` WHERE tbl_col LIKE ?";
$stmt = $dbc->prepare($sql);

$value = "%{$value}%";
$stmt->bindParam($i, $value, PDO::PARAM_STR);
?>

Trying to use
<?php
$stmt->bindParam($i, "%{$value}%", PDO::PARAM_STR);
?>

will fail.
m dot van dot urk at comsi dot nl
02-Jul-2007 02:33
You can't bind a table name in the query.
So the following code isn't working:

        $a = 'klanten';
           
        $sQuery = "SELECT COUNT(*) FROM ? WHERE email = 'info@site.uk' AND wachtwoord = 'welcome'";
        $rResult2 = $login->db->prepare($sQuery);
       
       
        $rResult2->bindValue(1, $a);
        $rResult2->execute();
        }
       
        catch (PDOException $e) {
            die( $e-getMessage());
        }
       
        if ($rResult2->fetchColumn() == 0) {
            echo 'false';
        } else {
            echo 'true';
        }
willie at spenlen dot com
14-Jun-2007 06:49
If you're using the MySQL driver and have a stored procedure with an OUT or INOUT parameter, you can't (currently) use bindValue(). See http://bugs.php.net/bug.php?id=35935 for a workaround.
Filofox
10-Apr-2006 10:09
Do not try to use the same named parameter twice in a single SQL statement, for example

$sql = 'SELECT * FROM some_table WHERE  some_value > :value OR some_value < :value';
$stmt = $dbh->prepare($sql);
$stmt->execute( array( ':value' => 3 ) );

...this will return no rows and no error -- you must use each parameter once and only once. Apparently this is expected behavior (according to this bug report: http://bugs.php.net/bug.php?id=33886)  because of portability issues.
05-Feb-2006 10:25
A caution for those using bindParam() on a placeholder in a
LIKE '%...%' clause, the following code will likely not work:

$q = "SELECT id, name FROM test WHERE name like '%:foo%'";
$s = "carrot";
$sth = $dbh->prepare($q);
$sth->bindParam(':foo', $s);
$sth->execute();

What is needed is something like the following:

$s = "%$s%";
$sth->bindParam(':foo', $s);

This should work. Tested against mysql 4.1, PHP 5.1.3.
MyBatis详解-----接口的传参与sql中的参数绑定方式
qq_40941100的博客
05-06 700
在mybatis中通过接口向sql中传参有多种形式,在开发过程中我们可以根据需求或者自己的习惯方式来进行选择。 pojo传参 当接口方法的参数类型为POJO类型时,SQL语句绑定参数时使用 #{POJO的属性名} 即可。 pojo实体类 //pojo传参时要给属性添加get和set方法 public class PageQuery { private int startIndex; private int pageSize; } 接口内容 //使用pojo传参 Li
用PDO实现 mysql 参数绑定
庹小智的博客
03-01 385
pdo支持两种参数绑定方案: 1、如果sql语句中用的是?号作为占位符,那么在bindParam参数中,第一个参数就以占位符的顺序填写,比如1代表第一个?号的值 2、如果sql语句中用的是 " :变量名 "作为占位符,那么bingParam参数中,第一个参数就是“ :变量名 ” PS:bindParam函数:par1,占位符标识,par2:值(必须以变量形式体现,否则报:Cannot pass parameter 2),par3:值的模式 有 PDO::PARAM_INT,PDO::PARAM
php pdo 参数绑定,PDO预处理之参数绑定和列绑定
weixin_36028342的博客
03-11 568
摘要:PDO查询中,2绑定操作:参数绑定与列绑定参数绑定:bindParm() 和 bindValue();bindParm(':占位符',变量,类型常量) 类型常量默认为字符串bindValue(':占位符',值或变量,类型常量) 如果直接传值,可省略类型常量execute([':占位符'=>值/变量]) :将参数以数组方PDO查询中,2绑定操作:参数绑定与列绑定参数绑定:bind...
php pdo 参数绑定,PDO预处理参数绑定
weixin_42103587的博客
03-11 337
摘要:$stmt->bindColumn : 绑定一列到一个 PHP 变量$stmt->bindParam绑定一个参数到指定的变量名$stmt->bindValue — 把一个值绑定到一个参数$stmt->closeCursor — 关闭游标,使语句能再次被执行。$stmt->columnCount — 返回结果集中的列数$stmt->debugDumpP...
PHP-PDO参数绑定问题
烟草的香味的博客
10-02 546
前言 今天在执行这样一段代码: $data = [ 'username' => 'hujingnb', 'address' => 'beijing', ]; $dbh = new PDO("mysql:host={$host};dbname={$dbname}", $username, $password); $statement = $dbh->prepare('INSERT INTO `test_user` (`username`, `address`) VALUES
PHP PDOStatement:bindParam插入数据错误问题分析
10-26
bindParam方法接收两个主要参数:一个是SQL语句中的占位符,另一个是要绑定的变量。关键在于bindParam的第二个参数,它需要一个变量的引用,这意味着bindParam会直接操作这个变量的值,而不是它的副本。这在某些情况...
PHP PDOStatement::bindParam讲解
12-20
- **$variable**:绑定SQL语句参数的PHP变量,注意这里的变量是以引用的方式传递,这意味着当`PDOStatement::execute()`被调用时,该变量的当前值会被使用。 - **$data_type**(可选): 使用`PDO::PARAM_*`常量...
PHP PDOStatement::execute讲解
12-20
2. **直接传入包含输入值的数组**:你可以提供一个数组,其中的元素数量与SQL语句中的绑定参数相同。所有值默认按`PDO::PARAM_STR`处理,即作为字符串类型。这种方式下,不能向同一个参数绑定多个值,也不能超过预...
pdo mysql like_在bindParam中使用LIKE进行MySQL PDO查询
weixin_42404983的博客
01-19 205
I've read multiple examples on how these queries should be written but I'm struggling to get this specific like to run when using bindParamWould this be the correct way to match usernames that begin w...
php pdo 参数绑定,PDO绑定参数的其他方法
weixin_42416490的博客
03-11 832
摘要:在《PDO中预处理语句占位符的使用​》已经介绍了参数绑定方法bindParam(),冒号‘:’占位符和问号‘?’都可以使用这个方法绑定参数,而且还可以指定绑定参数的类型,再次确保在执行sql中传入参数的安全性。PDO扩展中,除了bindParam()方法外,还有其它的方法也可以绑定参数。 在《PDO中预处理语句占位符的使用》已经介绍了参数绑定方法bindParam(),冒号‘:’占位符...
sql参数绑定防止注入的原理
xdscode的博客
10-26 2033
本文主要讲述为什么拼接sql容易sql注入 , 而sql使用参数绑定可以防止sql 注入 假设我们的用户表中存在一行.用户名字段为username.值为aaa.密码字段为pwd.值为pwd… 下面我们来模拟一个用户登录的过程… <?php $username = "aaa"; $pwd = "pwd"; $sql = "SELECT * FROM table WHER...
pdo 参数绑定中 where 子句中的错误的解决
weixin_34220179的博客
02-04 319
pdo 参数绑定中 where 子句中的错误的解决 select * from  admin where 1=1  and admin_name =  '$user_name' 象这句是会出错的,说 rang 什么的参数个数不正确之类的. 我也想过是否是 ' 引号造成的,但在 insert 里是这样的呀. 最后解决是目前的 php5.2 的 pdo 中操作 qlite3 要对 where 子句...
Parameter 2 to mysqli_stmt::bind_param() expected to be a reference
lx258963的专栏
11-04 434
今天在用brophp(是lamp兄弟连里的一个框架),写程序的时候,老是报一个错误,具体情况是这样的 [code="php"] if(empty($_GET['id'])) $this->error('数据不存在'); $c = D('news'); $id = $_GET['id']; $num = $c->total(); $page = new Page($num,1...
PDOStatement::bindParam
冷月醉雪的博客
04-14 232
查看更多 https://www.yuque.com/docs/share/1d2e75a8-060b-467c-8d17-88676df2573e
关于PDOStatement::bindParam 返回为空问题解决办法
A86445的博客
12-27 591
返回数组居然为空,百思不得其解,最后发现 bindParam 最后一个参数对$n 并未进行数据转换。手动对数据进行强转,网上看到建议直接对SQL语句进行赋值的,可能会导致SQL注入点产生。
SQLBindParameter 函数的参数解析及使用方法
热门推荐
u013187074的博客
10-22 1万+
以下资料均找自网上开源代码。 1 参数绑定API     执行参数化查询,需要将语句中各个参数对应的变量缓存,与Statement句柄实现绑定。     用于绑定参数的ODBC API函数: SQLRETURN SQLBindParameter(       SQLHSTMT        StatementHandle,     // statement句柄      
Perl DBI 入门和Perl DBI连接MySQL数据库
红杉树(ecitnet)的博客
09-20 2341
本文是以 Perl DBI Examples 为蓝本,配合 DBMaker 好学易用的特性,以及几个浅显易懂的例 子,希望能够一步步地带领使用者学习 Perl DBI modules 存取 DBMaker 资料库的方法。而原作者 撰写主要原动力是希望藉由这篇文章的问世,以降低 DBI mailing list 中一再重出现的 FAQ。 读完本文之後,我们就能学到利用 DBI 建立一个完备的
SQL 语句中的参数分开处理的方式
最新发布
09-13
SQL查询中,将参数分开处理是为了提高安全性,避免SQL注入攻击。SQL注入是通过恶意构造SQL语句,利用程序无法有效过滤或转义的数据来获取、修改或删除数据库中的信息。以下是几种常见的参数化查询处理方式: 1. **预编译语句(Prepared Statements)**:这是许多数据库API(如MySQLi、PDO等)提供的功能。在发送给数据库之前,会将SQL语句结构固定下来,然后用占位符(通常是问号`?`)代替参数值。执行时,再单独绑定实际的参数值。这样即使参数中包含特殊字符,也不会被执行作为SQL命令。 ```sql $stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?"); $stmt->execute([$username]); ``` 2. **参数化查询(Parametrized Queries)**:直接使用编程语言提供的函数或方法,将参数作为独立的单元传递给查询,而不是将其插入到字符串中。例如,在PHP中使用PDOStatement::bindParamPDOStatement::bindValue。 ```php $stmt = $pdo->query("SELECT * FROM users WHERE username = :username"); $stmt->bindParam(':username', $username); ``` 3. **动态拼接字符串谨慎使用**:如果必须要动态生成SQL,尽量使用模板字符串或者避免字符串连接操作,避免直接拼接用户的输入。但在某些场景下,如存储过程调用,仍需小心处理。 ```sql $stmt = $pdo->prepare("CALL my_procedure(?, ?)"); $stmt->execute([$param1, $param2]); ``` 4. **使用ORM框架**:现代的一些ORM(Object-Relational Mapping)框架如Hibernate、Laravel Eloquent等也支持参数化查询,底层会自动处理参数安全。 无论哪种方式,目的都是确保用户输入的安全,防止恶意操作数据库。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值