Home >Backend Development >PHP Tutorial >php mysqli extension preprocessing, phpmysqli preprocessing_PHP tutorial
In the previous article about the basic knowledge of mysqli, I talked about the installation and basic operations of mysqli (mainly the query operation of a single sql statement) ), today we introduce a very important part of mysqli: preprocessing.
In mysqli operations, its three main classes are often involved: MySQLi class, MySQL_STMT class, and MySQLi_RESULT class. Preprocessing is mainly done using the MySQL_STMT class.
Preprocessing is an important means of preventing SQL injection and is of great significance to improving website security.
The case of this article is that the database name is test, the data table name is test, the fields include id and title, and the id is an auto-increasing primary key.
Use mysqli preprocessing to perform insert operations:
<?<span>php </span><span>define</span>("HOST", "localhost"<span>); </span><span>define</span>("USER", 'root'<span>); </span><span>define</span>("PWD", ''<span>); </span><span>define</span>("DB", 'test'<span>); </span><span>$mysqli</span>=<span>new</span> Mysqli(HOST,USER,PWD,<span>DB); </span><span>if</span> (<span>$mysqli</span>-><span>connect_errno) { </span>"Connect Error:".<span>$mysqli</span>-><span>connect_error; } </span><span>$mysqli</span>->set_charset('utf8'<span>); </span><span>$id</span>=''<span>; </span><span>$title</span>='title4'<span>; </span><span>//</span><span>用?代替 变量</span> <span>$sql</span>="INSERT test VALUES (?,?)"<span>; </span><span>//</span><span>获得$mysqli_stmt对象,一定要记住传$sql,预处理是对sql语句的预处理。</span> <span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>); </span><span>//</span><span>第一个参数表明变量类型,有i(int),d(double),s(string),b(blob)</span> <span>$mysqli_stmt</span>->bind_param('is',<span>$id</span>,<span>$title</span><span>); </span><span>//</span><span>执行预处理语句</span> <span>if</span>(<span>$mysqli_stmt</span>-><span>execute()){ </span><span>echo</span> <span>$mysqli_stmt</span>-><span>insert_id; }</span><span>else</span><span>{ </span><span>echo</span> <span>$mysqli_stmt</span>-><span>error; } </span><span>$mysqli</span>->close();
Use mysqli preprocessing to prevent sql injection:
<span>$id</span>='4'<span>; </span><span>$title</span>='title4'<span>; </span><span>$sql</span>="SELECT * FROM test WHERE id=? AND title=?"<span>; </span><span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>); </span><span>$mysqli_stmt</span>->bind_param('is',<span>$id</span>,<span>$title</span><span>); </span><span>if</span> (<span>$mysqli_stmt</span>-><span>execute()) { </span><span>$mysqli_stmt</span>-><span>store_result(); </span><span>if</span>(<span>$mysqli_stmt</span>->num_rows()>0<span>){ </span><span>echo</span> "验证成功"<span>; }</span><span>else</span><span>{ </span><span>echo</span> "验证失败"<span>; } } </span><span>$mysqli_stmt</span>-><span>free_result(); </span><span>$mysqli_stmt</span>->close();
Use mysqli preprocessing to execute query statements:
<span>$sql</span>="SELECT id,title FROM test WHERE id>=?"<span>; </span><span>$mysqli_stmt</span>=<span>$mysqli</span>->prepare(<span>$sql</span><span>); </span><span>$id</span>=1<span>; </span><span>$mysqli_stmt</span>->bind_param('i',<span>$id</span><span>); </span><span>if</span>(<span>$mysqli_stmt</span>-><span>execute()){ </span><span>$mysqli_stmt</span>-><span>store_result();<br /> //将一个变量绑定到一个prepared语句上用于结果存储 </span><span>$mysqli_stmt</span>->bind_result(<span>$id</span>,<span>$title</span><span>); </span><span>while</span> (<span>$mysqli_stmt</span>-><span>fetch()) { </span><span>echo</span> <span>$id</span>.' :'.<span>$title</span>.'<br/>'<span>; } }</span>
For more mysqli technologies, please refer to the official PHP manual. Checking the manual is the best way to learn~