我用php和mysql编写了以下代码:
$id = $_GET['id'];
if ($stmt = $db->prepare("SELECT disco, fecha, amazon from discos where id=? LIMIT 1")) {
$stmt->bind_param("i", $id); /* NOTE: "s" doesn't work */
$stmt->execute();
$stmt->bind_result($disco, $fecha, $amazon);
if($stmt->fetch()){
/* Do some stuff */
}
}
问题是,当$id的值是,例如:100abcd,查询仍然取,而它不应该,因为没有这样的id调用,但它取id 100。
为什么会发生这种情况?谢谢。
这是一个从string到int的隐式转换——相当于id = CAST('100abcd' AS unsigned);
> SELECT CAST('100abcd' AS UNSIGNED);
+-----------------------------+
| CAST('100abcd' AS UNSIGNED) |
+-----------------------------+
| 100 |
+-----------------------------+