关于PDO的准备语句,我有一个问题。
在下面的代码中,示例1使用了预处理语句。然而,这段代码并没有产生期望的结果。示例2产生了期望的结果,但没有使用预处理语句。
示例1在SQL字符串中使用?占位符,然后将字符串值绑定到这些占位符,然后执行(如您所期望的)。
<?php
// debugging
error_reporting(E_ALL);
ini_set("display_errors", 1);
// db vars
$host = 'localhost';
$db_name = 'cakeTut';
$db_username = 'root';
$db_password = 'password';
// try to connect to db, else catch exception.
try{
$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $db_username, $db_password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch (PDOException $e){
echo $e->getMessage();
die();
}
///////////////////////////////////////
// Example 1
///////////////////////////////////////
// query vars
$tablename = 'users';
$id = 'id';
$first_name = 'first_name';
$last_name = 'last_name';
// query string w/placeholders, then prepare query
$sql = "SELECT ?, ?, ? FROM $tablename";
$query = $pdo->prepare($sql);
// binding query vars to placeholders in query string
$query->bindParam(1, $id, PDO::PARAM_STR);
$query->bindParam(2, $first_name, PDO::PARAM_STR);
$query->bindParam(3, $last_name, PDO::PARAM_STR);
// execute query & print out query details for debugging
$query->execute();
$query->debugDumpParams();
// fetch result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
///////////////////////////////////////
// Example 2
///////////////////////////////////////
// create query string with out placeholders, prepare and execute
$sql = "SELECT `id`, `first_name`, `last_name` FROM `users`";
$query = $pdo->prepare($sql);
$query->execute();
// get result set & print it
$resultSet = $query->fetchAll();
print_r($resultSet);
// loop through result set and print cols.
foreach($resultSet as $row) {
echo $row['id'] . " " . $row['first_name'] . " " . $row['last_name'];
echo "<br>";
}
?>
例1 $query->debugDumpParams();
SQL: [25] SELECT ?, ?, ? FROM users Params: 3 Key: Position #0: paramno=0 name=[0] "" is_param=1 param_type=2 Key: Position #1: paramno=1 name=[0] "" is_param=1 param_type=2 Key: Position #2: paramno=2 name=[0] "" is_param=1 param_type=2
例1 print_r($resultSet);
Array ( [0] => Array ( [id] => id [0] => id [first_name] => first_name [1] => first_name [last_name] => last_name [2] => last_name ) [1] => Array ( [id] => id [0] => id [first_name] => first_name [1] => first_name [last_name] => last_name [2] => last_name ) [2] => Array ( [id] => id [0] => id [first_name] => first_name [1] => first_name [last_name] => last_name [2] => last_name ) [3] => Array ( [id] => id [0] => id [first_name] => first_name [1] => first_name [last_name] => last_name [2] => last_name ) [4] => Array ( [id] => id [0] => id [first_name] => first_name [1] => first_name [last_name] => last_name [2] => last_name ) )
循环遍历示例1的结果集并打印颜色:
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
id first_name last_name
例2 print_r($resultSet);
Array ( [0] => Array ( [id] => 3 [0] => 3 [first_name] => fiona [1] => fiona [last_name] => mac [2] => mac ) [1] => Array ( [id] => 4 [0] => 4 [first_name] => ronan [1] => ronan [last_name] => duddy [2] => duddy ) [2] => Array ( [id] => 5 [0] => 5 [first_name] => tom [1] => tom [last_name] => thumb [2] => thumb ) [3] => Array ( [id] => 30 [0] => 30 [first_name] => ronan [1] => ronan [last_name] => mcl [2] => mcl ) [4] => Array ( [id] => 31 [0] => 31 [first_name] => Admin [1] => Admin [last_name] => admin [2] => admin ) )
循环遍历示例2的结果集并打印颜色:
3 fiona mac
4 ronan duddy
5 tom thumb
30 ronan mcl
31 Admin admin
我错过了什么吗?上面代码中的两个示例不应该打印出相同的数据,即示例2吗?我在谷歌上搜索了一下,示例1的代码与准备语句的基本示例相匹配。
很多谢谢,罗南
预处理语句占位符只能在查询中表示VALUES。不能将它们用于表名、字段名或任何其他SQL关键字。
SELECT * FROM foo WHERE (somefield = ?) // ok
SELECT ? FROM foo WHERE (somefield = 2) // bad - cannot use for field name
SELECT * FROM ? WHERE (somefield = 2) // bad cannot use for table name
SELECT * FROM foo WHERE (somefield = 2) ORDER BY somefield ? // again bad, can't use for sort order
SELECT * FROM foo WHERE (? = 2) // again bad, can't use for field name
在我阅读它时,您不能在PDO中为表/列名使用参数。http://php.net/manual/en/book.pdo.php
请注意:
行不通:
$sth = $dbh->prepare('SELECT name, colour, calories FROM ? WHERE calories < ?');
这工作!
$sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < ?');