给定此查询
$query = "SELECT * FROM products WHERE category = {category} AND price = '{price}'"
使用这些$_GET参数:类别=10,价格=$60
我想用实际的GET值替换{}中的内容要获得这样的sql查询:
"SELECT * FROM products WHERE category = 10 AND price = '$60'"
但是如果缺少一个或多个参数,我想替换{}的内容用不同的东西来避免处决。例如:
"SELECT * FROM products WHERE category = category AND price = price"
注意:我知道sql注入。那是另一个主题。我想知道的是,如果值(from get)不存在,如何避免执行sql雄蕊。例如,从id=id返回所有产品的产品中选择*,但从id=100只返回一个(id为100)的产品中选中*
对于一个简单的查询,这是OP的方式,但看看Doctrine,它是处理查询的完美层
由于SQL注入,这不是解决此问题的正确方法。试试这个:
if(isset($_GET['category']) && isset($_GET['price'])) {
// you might want to consider validating user input
//use either PDO or MySQLi with parametized Query e.g.
$stmt = $pdo_instance->prepare("SELECT * FROM products WHERE category = :category AND price = :price");
$stmt->bindValue(":category", $_GET['category']);
$stmt->bindValue(":price", $_GET['category']);
} else if(isset($_GET['category'])) {
//use either PDO or MySQLi with parametized Query e.g.
$stmt = $pdo_instance->prepare("SELECT * FROM products WHERE category = :category");
$stmt->bindValue(":category", $_GET['category']);
} else if(isset($_GET['price'])) {
//use either PDO or MySQLi with parametized Query e.g.
$stmt = $pdo_instance->prepare("SELECT * FROM products WHERE price = :price");
$stmt->bindValue(":price", $_GET['price']);
}
//variables
if(isset($_GET['category']) && isset($_GET['price'])) {
$category = $_GET['category'];
$price = $_GET['price'];
//create server instance
$mysqli = new mysqli("server", "username", "password", "database_name");
//make sure there was no errors with the connection
if (mysqli_connect_errno()) {
printf("Connect failed: %s'n", mysqli_connect_error());
exit();
}
//create a parameterized query
$query = $mysqli->prepare("SELECT * FROM products WHERE category = ? AND price = '?'");
//bind query params
$query->bind_param("s", $category, $price);
//execute the query and then clean up
$query->execute();
$query->close();
$mysqli->close();
}
有关更多详细信息,请参阅我的POST。