我正在尝试使用postgres在PHP中制作一些准备好的语句。
解释起来有点困难,所以我就告诉你:
$stmt = "SELECT * FROM customer WHERE zip = '$1'";
if(isset($_POST["CITY"])){
$stmt .= "AND city = '$2'";
}
if(isset($_POST["COUNTRY"])){
$stmt .= "AND country = '$3'";
}
$result = pg_prepare("myconnection", "my query", $stmt);
$result1 = pg_execute("myconnection","my query", array("0000","someCity","someCountry"));
抱歉,如果某些代码是错误的,但这是一个手绘示例。我需要的是能够使预准备语句动态,具体取决于某些变量是否为 set/not-null。当语句只期望 1 或我只需要添加 $1 和 $3 而不是 $2 时,在数组中发布 3 个变量时,它似乎不起作用。希望你能理解。
这个周末我需要使用它,所以我希望有人知道!
提前谢谢你!
在预准备语句中,SQL 故意是静态的。准备好语句后,参数的数量不能改变。
但是,您的代码很容易根据语句提交正确数量的参数。您可以为参数计数器添加一个变量,并添加一个动态 php 数组以传递给 pg_execute而不是硬编码文本。它们将在if (isset(...))分支内递增/填充。
拥有 3 个不同的语句(每种情况一个)并根据传递的参数数量执行适用的语句并没有错。例:
编辑:我修改了代码以匹配所有情况:
- 仅指定的 zip 文件
- 邮编+城市
- 邮编 + 国家
- 邮编 + 城市 + 国家
(即使还有其他一些情况,你也会理解这个想法)
$stmt = "SELECT * FROM customer WHERE zip = '$1'";
if(isset($_POST["CITY"]) && isset($_POST["COUNTRY"])) {
$stmt3 = $stmt . " AND city = '$2'" . " AND country = '$3'";
} elseif(isset($_POST["CITY"])) {
$stmt1 = $stmt . " AND city = '$2'";
} elseif(isset($_POST["COUNTRY"])) {
$stmt2 = $stmt . " AND country = '$2'";
}
if(isset($stmt3)) {
$result = pg_prepare("myconnection", "my query", $stmt3);
$result1 = pg_execute("myconnection","my query", array("0000","someCity","someCountry"));
} elseif(isset($stmt2)) {
$result = pg_prepare("myconnection", "my query", $stmt2);
$result1 = pg_execute("myconnection","my query", array("0000","someCountry"));
} elseif(isset($stmt1)) {
$result = pg_prepare("myconnection", "my query", $stmt1);
$result1 = pg_execute("myconnection","my query", array("0000","someCity"));
} else {
$result = pg_prepare("myconnection", "my query", $stmt);
$result1 = pg_execute("myconnection","my query", array("0000"));
}
为了简洁起见,我省略了(就像您一样)所有错误检查。
尽管丹尼尔和艾默里克都是正确的——测试两次或使用数字都没有意义。见下文:
$some_vars = array();
$some_vars[":zip"] = $_POST["ZIP"];
$stmt = "SELECT * FROM customer WHERE zip = :zip";
if(isset($_POST["CITY"])){
$some_vars[":city"] = $_POST["CITY"]);
$stmt .= " AND city = :city";
}
if(isset($_POST["COUNTRY"])){
$some_vars[":country"] = $_POST["COUNTRY"]);
$stmt .= " AND country = :country";
}
$result = pg_prepare("myconnection", "my query", $stmt);
$result1 = pg_execute("myconnection","my query", $some_vars);
不要忘记消毒等。
不要做字符串连接。检查参数是否设置。如果没有,请将它们设置为空。使用单个查询字符串:
$zip = $_POST["zip"];
$city = $_POST["city"];
$country = $_POST["country"];
if (!isset($zip)) $zip = '';
if (!isset($city)) $city = '';
if (!isset($country)) $country = '';
$stmt = "
select *
from customer
where
(zip = '$1' or '$1' = '')
and
(city = '$2' or '$2' = '')
and
(country = '$3' or '$3' = '')
";
$result = pg_prepare("myconnection", "my query", $stmt);
$result1 = pg_execute(
"myconnection",
"my query",
array($zip, $city, $country)
);
仅当相应的参数不是空字符串时,才会强制执行每个条件。
相同的逻辑可以使用 null 值代替空,这些列包含应选择的空字符串。