Question

我有一个旧的mysql代码，它在应用程序中正常工作：

  $query = "
SELECT * FROM Tutor t  
WHERE 
(t.Tutorusername = '".mysql_real_escape_string($tutorusername)."')
AND
(t.Tutorpassword = '".mysql_real_escape_string($tutorpassword)."')
";


$num = mysql_num_rows($result = mysql_query($query));


while($row = mysql_fetch_array($result))
  {

  ...

}

但我现在想从Mysql改变而不是使用mysqli。我的问题是，下面的mysqli代码是否完全正确，并且与上面的mysql代码相同？

$query = $mysqli->prepare("
    SELECT * FROM Tutor t  
    WHERE 
    (t.Tutorusername = '".mysqli_real_escape_string($tutorusername)."')
    AND
    (t.Tutorpassword = '".mysqli_real_escape_string($tutorpassword)."')
    ");

    $query->bind_result($Tutor);

    $num = $query->num_rows($result = $query->execute());


    while($row = $result->fetch())
      {

...

}

Answer 1

这里不需要使用preapre()因为你正在连接sql字符串。

$sql="SELECT * FROM Tutor t
        WHERE 
        t.Tutorusername='".mysqli_real_escape_string($tutorusername)."'
        AND 
        t.Tutorpassword = '".mysqli_real_escape_string($tutorpassword)."'");

$result=$mysqli->query($sql);
if($result)
{
 $row=$result->fetch_row();
 if($row)
    print_r($row);
}

对于prepare（）方法，您必须指定参数：

  $sql="SELECT * FROM Tutor t 
          WHERE t.Tutorusername=? AND t.Tutorpassword=?";

   $stmt=$mysqli->prepare($sql);
   $stmt->bind_param("s",$tutorusername);
   $stmt->bind_param("s",$tutorpassword);

   $stmt->execute(); 

   //I presume that the table "T" has three columns
   $stmt->bind_result($col1,$col2,$col2);
   while($stmt->fetch())
   {
     echo "<br/>", $col1,$col2,$col3;
    }

PS：阅读mysqli API的PHP手册。

在下面的这个例子中将mysql转换为mysqli

1 个答案: