Heim  >  Artikel  >  php教程  >  php mysqli扩展之预处理,phpmysqli预处理

php mysqli扩展之预处理,phpmysqli预处理

WBOY
WBOYOriginal
2016-06-13 08:56:571267Durchsuche

php mysqli扩展之预处理,phpmysqli预处理

  在前一篇 mysqli基础知识中谈到mysqli的安装及基础操作(主要是单条sql语句的查询操作),今天介绍的是mysqli中很重要的一个部分:预处理。

  在mysqli操作中常常涉及到它的三个主要类:MySQLi类,MySQL_STMT类,MySQLi_RESULT类。预处理主要是利用MySQL_STMT类完成的。

  预处理是一种重要的 防止SQL注入的手段,对提高网站安全性有重要意义。

  本文案例为 数据库名为test,数据表名为test,  字段有id ,title 两个,id自增长主键。

 

  使用mysqli预处理执行插入操作:

<?<span>php 

</span><span>define</span>("HOST", "localhost"<span>);
</span><span>define</span>("USER", 'root'<span>);
</span><span>define</span>("PWD", ''<span>);
</span><span>define</span>("DB", 'test'<span>);

</span><span>$mysqli</span>=<span>new</span> Mysqli(HOST,USER,PWD,<span>DB);

</span><span>if</span> (<span>$mysqli</span>-><span>connect_errno) {
    </span>"Connect Error:".<span>$mysqli</span>-><span>connect_error;
}

</span><span>$mysqli</span>->set_charset('utf8'<span>);

</span><span>$id</span>=''<span>;
</span><span>$title</span>='title4'<span>;
</span><span>//</span><span>用?代替 变量</span>
<span>$sql</span>="INSERT test VALUES (?,?)"<span>;
</span><span>//</span><span>获得$mysqli_stmt对象,一定要记住传$sql,预处理是对sql语句的预处理。</span>
<span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>);

</span><span>//</span><span>第一个参数表明变量类型,有i(int),d(double),s(string),b(blob)</span>
<span>$mysqli_stmt</span>->bind_param('is',<span>$id</span>,<span>$title</span><span>);

</span><span>//</span><span>执行预处理语句</span>
<span>if</span>(<span>$mysqli_stmt</span>-><span>execute()){
    </span><span>echo</span> <span>$mysqli_stmt</span>-><span>insert_id;
}</span><span>else</span><span>{
    </span><span>echo</span> <span>$mysqli_stmt</span>-><span>error;

}
</span><span>$mysqli</span>->close();

使用mysqli预处理防止sql注入:

<span>$id</span>='4'<span>;
</span><span>$title</span>='title4'<span>;

</span><span>$sql</span>="SELECT * FROM test WHERE id=? AND title=?"<span>;
</span><span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>);
</span><span>$mysqli_stmt</span>->bind_param('is',<span>$id</span>,<span>$title</span><span>);

</span><span>if</span> (<span>$mysqli_stmt</span>-><span>execute()) {
    </span><span>$mysqli_stmt</span>-><span>store_result();
    </span><span>if</span>(<span>$mysqli_stmt</span>->num_rows()>0<span>){
        </span><span>echo</span> "验证成功"<span>;
    }</span><span>else</span><span>{
        </span><span>echo</span> "验证失败"<span>;
    }
}
    </span><span>$mysqli_stmt</span>-><span>free_result();
    </span><span>$mysqli_stmt</span>->close();

使用mysqli预处理执行查询语句:

<span>$sql</span>="SELECT id,title FROM test WHERE id>=?"<span>;

</span><span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>);
</span><span>$id</span>=1<span>;

</span><span>$mysqli_stmt</span>->bind_param('i',<span>$id</span><span>);

</span><span>if</span>(<span>$mysqli_stmt</span>-><span>execute()){
    </span><span>$mysqli_stmt</span>-><span>store_result();<br />   //将一个变量绑定到一个prepared语句上用于结果存储
    </span><span>$mysqli_stmt</span>->bind_result(<span>$id</span>,<span>$title</span><span>);
    </span><span>while</span> (<span>$mysqli_stmt</span>-><span>fetch()) {
        </span><span>echo</span> <span>$id</span>.' :'.<span>$title</span>.'<br/>'<span>;
    }


}</span>

    更多mysqli技术请参见php官方手册,查手册是学习的最好方法~

 

Stellungnahme:
Der Inhalt dieses Artikels wird freiwillig von Internetnutzern beigesteuert und das Urheberrecht liegt beim ursprünglichen Autor. Diese Website übernimmt keine entsprechende rechtliche Verantwortung. Wenn Sie Inhalte finden, bei denen der Verdacht eines Plagiats oder einer Rechtsverletzung besteht, wenden Sie sich bitte an admin@php.cn