MySQLi 中的 SELECT * FROM

2021-12-25 00:00:00 php mysqli

我的网站相当广泛,我最近才切换到 PHP5(称我为大器晚成的人).

My site is rather extensive, and I just recently made the switch to PHP5 (call me a late bloomer).

我之前所有的 MySQL 查询都是这样构建的:

All of my MySQL query's before were built as such:

"SELECT * FROM tablename WHERE field1 = 'value' && field2 = 'value2'";

这使它变得非常容易、简单和友好.

This made it very easy, simple and friendly.

出于明显的安全原因,我现在正在尝试切换到 mysqli,并且我很难弄清楚如何在 bind_param<时实现相同的 SELECT * FROM 查询/code> 需要特定参数.

I am now trying to make the switch to mysqli for obvious security reasons, and I am having a hard time figuring out how to implement the same SELECT * FROM queries when the bind_param requires specific arguments.

这句话是过去式了吗?

如果是,我该如何处理涉及大量列的查询?我真的需要每次都把它们都打出来吗?

If it is, how do I handle a query with tons of columns involved? Do I really need to type them all out every time?

推荐答案

"SELECT * FROM tablename WHERE field1 = 'value' && field2 = 'value2'";

变成

"SELECT * FROM tablename WHERE field1 = ? && field2 = ?";

传递给 $mysqli::prepare:

$stmt = $mysqli->prepare(
  "SELECT * FROM tablename WHERE field1 = ? && field2 = ?");
$stmt->bind_param( "ss", $value, $value2); 
// "ss' is a format string, each "s" means string
$stmt->execute();
 
$stmt->bind_result($col1, $col2);
// then fetch and close the statement

OP 评论:

所以如果我有 5 个参数,我可能会有sssis"或其他东西(取决于输入的类型?)

so if i have 5 parameters, i could potentially have "sssis" or something (depending on the types of inputs?)

对,准备好的语句中每个 ? 参数都有一个类型说明符,所有这些都是位置说明符(第一个说明符适用于第一个 ? ,它被第一个实际参数(哪个是 bind_param)) 的第二个参数.

Right, one type specifier per ? parameter in the prepared statement, all of them positional (first specifier applies to first ? which is replaced by first actual parameter (which is the second parameter to bind_param)).

相关文章