Home > php教程 > php手册 > php mysqli扩展之预处理,phpmysqli预处理

php mysqli扩展之预处理,phpmysqli预处理

WBOY
Release: 2016-06-13 08:56:57
Original
1296 people have browsed it

php mysqli扩展之预处理,phpmysqli预处理

  在前一篇 mysqli基础知识中谈到mysqli的安装及基础操作(主要是单条sql语句的查询操作),今天介绍的是mysqli中很重要的一个部分:预处理。

  在mysqli操作中常常涉及到它的三个主要类:MySQLi类,MySQL_STMT类,MySQLi_RESULT类。预处理主要是利用MySQL_STMT类完成的。

  预处理是一种重要的 防止SQL注入的手段,对提高网站安全性有重要意义。

  本文案例为 数据库名为test,数据表名为test,  字段有id ,title 两个,id自增长主键。

 

  使用mysqli预处理执行插入操作:

<?<span>php 

</span><span>define</span>("HOST", "localhost"<span>);
</span><span>define</span>("USER", 'root'<span>);
</span><span>define</span>("PWD", ''<span>);
</span><span>define</span>("DB", 'test'<span>);

</span><span>$mysqli</span>=<span>new</span> Mysqli(HOST,USER,PWD,<span>DB);

</span><span>if</span> (<span>$mysqli</span>-><span>connect_errno) {
    </span>"Connect Error:".<span>$mysqli</span>-><span>connect_error;
}

</span><span>$mysqli</span>->set_charset('utf8'<span>);

</span><span>$id</span>=''<span>;
</span><span>$title</span>='title4'<span>;
</span><span>//</span><span>用?代替 变量</span>
<span>$sql</span>="INSERT test VALUES (?,?)"<span>;
</span><span>//</span><span>获得$mysqli_stmt对象,一定要记住传$sql,预处理是对sql语句的预处理。</span>
<span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>);

</span><span>//</span><span>第一个参数表明变量类型,有i(int),d(double),s(string),b(blob)</span>
<span>$mysqli_stmt</span>->bind_param('is',<span>$id</span>,<span>$title</span><span>);

</span><span>//</span><span>执行预处理语句</span>
<span>if</span>(<span>$mysqli_stmt</span>-><span>execute()){
    </span><span>echo</span> <span>$mysqli_stmt</span>-><span>insert_id;
}</span><span>else</span><span>{
    </span><span>echo</span> <span>$mysqli_stmt</span>-><span>error;

}
</span><span>$mysqli</span>->close();
Copy after login

使用mysqli预处理防止sql注入:

<span>$id</span>='4'<span>;
</span><span>$title</span>='title4'<span>;

</span><span>$sql</span>="SELECT * FROM test WHERE id=? AND title=?"<span>;
</span><span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>);
</span><span>$mysqli_stmt</span>->bind_param('is',<span>$id</span>,<span>$title</span><span>);

</span><span>if</span> (<span>$mysqli_stmt</span>-><span>execute()) {
    </span><span>$mysqli_stmt</span>-><span>store_result();
    </span><span>if</span>(<span>$mysqli_stmt</span>->num_rows()>0<span>){
        </span><span>echo</span> "验证成功"<span>;
    }</span><span>else</span><span>{
        </span><span>echo</span> "验证失败"<span>;
    }
}
    </span><span>$mysqli_stmt</span>-><span>free_result();
    </span><span>$mysqli_stmt</span>->close();
Copy after login

使用mysqli预处理执行查询语句:

<span>$sql</span>="SELECT id,title FROM test WHERE id>=?"<span>;

</span><span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>);
</span><span>$id</span>=1<span>;

</span><span>$mysqli_stmt</span>->bind_param('i',<span>$id</span><span>);

</span><span>if</span>(<span>$mysqli_stmt</span>-><span>execute()){
    </span><span>$mysqli_stmt</span>-><span>store_result();<br />   //将一个变量绑定到一个prepared语句上用于结果存储
    </span><span>$mysqli_stmt</span>->bind_result(<span>$id</span>,<span>$title</span><span>);
    </span><span>while</span> (<span>$mysqli_stmt</span>-><span>fetch()) {
        </span><span>echo</span> <span>$id</span>.' :'.<span>$title</span>.'<br/>'<span>;
    }


}</span>
Copy after login

    更多mysqli技术请参见php官方手册,查手册是学习的最好方法~

 

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Recommendations
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template