如何在预准备语句中绑定嵌套查询的参数?

时间:2017-11-19 17:10:09

标签: php mysql

我正在尝试执行嵌套查询,但我不知道如何绑定预准备语句的参数。

我做错了什么,因为这并没有给我我想要的输出?

$dev已包含正确的值。

<?php
    session_start();
?>
<!DOCTYPE html>
<html>
<body>
<?php
    $con = new mysqli('localhost', 'root', '', 'carpark_project');
    $dev = $_SESSION["development"];
    echo $dev;

    $sql = $con->prepare("SELECT *
                          FROM carpark c
                          WHERE c.development IN (SELECT h.development
                                                  FROM history h
                                                  WHERE c.development = ?)"); # Prepare the query

    $sql->bind_param('s', $dev);
    $sql->execute();
    $sql->bind_result($answer);
    $matches = array();

    while ($sql->execute() == true)
    {
        echo "Area: ";
        echo $matches["Area"]."</br>";
        echo "Development: ";
        echo matches["development"]."</br>";
        echo "Lots: ";
        echo $matches["Lots"]."</br>";
        echo "Weekday Rate 1: ";
        echo $matches["weekday1"]. "</br>";
        echo "Weekday Rate 2: ";
        echo $matches["weekday2"]. "</br>";
        echo "Saturday: ";
        echo $matches["sat"]. "</br>";
        echo "Sunday & Public Holidays: ";
        echo $matches["sunph"]. "</br>";
    }
?>
</body>
</html>

已更新

我编辑了我的代码,查询似乎正在运行。但是,当我运行该文件时,它提示我这个错误。

更新了代码 

<?php
session_start();
?>
<!DOCTYPE html>
<html>
<body>
<?php
    $con = new mysqli('localhost','root','','carpark_project');
    $dev = $_SESSION["development"]; 
    echo "Development: ";
    echo $dev;


$stmt = $con->prepare("SELECT c.Area
FROM carpark c
WHERE c.development IN (
    SELECT h.development
    FROM history h
    WHERE   h.development = ?)"); #prepare the query.this line returns true or false 

$stmt->bind_param('s' , $dev); #now specify that the variables are strings and then add the variables
$stmt->execute();
$stmt->bind_result($Area);
$matches = array();

if ($stmt->execute() == true)
{
                echo "<br> Area: </br>";
                echo $matches[] = $Area;
                echo "<br></br>";

}

$sql1 = $con->prepare("SELECT c.Lots
FROM carpark c
WHERE c.development IN (
    SELECT h.development
    FROM history h
    WHERE   h.development = ?)"); #prepare the query.this line returns true or false 

$sql1->bind_param('s' , $dev); #now specify that the variables are strings and then add the variables
$sql1->execute();
$sql1->bind_result($Lots);
$matches = array();

if ($sql1->execute() == true)
{
                echo "<br> Lots: </br>";
                echo $matches[] = $Lots;
                echo "<br></br>";

}

$sql2 = $con->prepare("SELECT c.weekday1
FROM carpark c
WHERE c.development IN (
    SELECT h.development
    FROM history h
    WHERE   h.development = ?)"); #prepare the query.this line returns true or false 

$sql2->bind_param('s' , $dev); #now specify that the variables are strings and then add the variables
$sql2->execute();
$sql2->bind_result($wk1);
$matches = array();

if ($sql2->execute() == true)
{
                echo "<br> Weekday(1): </br>";
                echo $matches[] = $wk1;
                echo "<br></br>";

}

$sql3 = $con->prepare("SELECT c.weekday2
FROM carpark c
WHERE c.development IN (
    SELECT h.development
    FROM history h
    WHERE   h.development = ?)"); #prepare the query.this line returns true or false 

$sql3->bind_param('s' , $dev); #now specify that the variables are strings and then add the variables
$sql3->execute();
$sql3->bind_result($wk2);
$matches = array();

if ($sql3->execute() == true)
{
                echo "<br> Weekday(2): </br>";
                echo $matches[] = $wk2;
                echo "<br></br>";

}

$sql4 = $con->prepare("SELECT c.sat
FROM carpark c
WHERE c.development IN (
    SELECT h.development
    FROM history h
    WHERE   h.development = ?)"); #prepare the query.this line returns true or false 

$sql4->bind_param('s' , $dev); #now specify that the variables are strings and then add the variables
$sql4->execute();
$sql4->bind_result($sat);
$matches = array();

if ($sql4->execute() == true)
{
                echo "<br> Sat: </br>";
                echo $matches[] = $sat;
                echo "<br></br>";

}

$sql5 = $con->prepare("SELECT c.sat
FROM carpark c
WHERE c.development IN (
    SELECT h.development
    FROM history h
    WHERE   h.development = ?)"); #prepare the query.this line returns true or false 

$sql5->bind_param('s' , $dev); #now specify that the variables are strings and then add the variables
$sql5->execute();
$sql5->bind_result($sat);
$matches = array();

if ($sql5->execute() == true)
{
                echo "<br> Sat: </br>";
                echo $matches[] = $sat;
                echo "<br></br>";

}

$sql6 = $con->prepare("SELECT c.sunPH
FROM carpark c
WHERE c.development IN (
    SELECT h.development
    FROM history h
    WHERE   h.development = ?)"); #prepare the query.this line returns true or false 

$sql6->bind_param('s' , $dev); #now specify that the variables are strings and then add the variables
$sql6->execute();
$sql6->bind_result($sunPH);
$matches = array();

if ($sql6->execute() == true)
{
                echo "<br> Sun & PH: </br>";
                echo $matches[] = $sunPH;
                echo "<br></br>";

}


?>
</html>
</body>

错误:

  

发展:文华酒店区:

     

致命错误:未捕获错误:调用成员函数bind_param()   C:\ xampp \ htdocs \ PhpProject1 \ SearchLocation.php中的布尔值:41堆栈   跟踪:#0 {main}被抛入   第41行的C:\ xampp \ htdocs \ PhpProject1 \ SearchLocation.php

Error Sceenshot

1 个答案:

答案 0 :(得分:0)

您无法在SQL中将对象名称(列名或表名)作为参数传递给.. 你应该在语法上建立SQL代码,但是使用var可以产生sqlinjection

无论如何看你的代码,你应该知道你选择的列,所以你可以避免选择例如列中的列名称的参数:

$sql = $con->prepare("SELECT *
                      FROM carpark c
                      WHERE c.development IN (
                          SELECT develepment_col /*<<--  assign the proper colname */
                          FROM history h
                          WHERE h.development = ?)"); # Prepare the query
$sql->bind_param('s',  $dev);
$sql->execute();

NB列和表..是SQL中的特殊对象,不能用作构建动态SQL代码的参数

相关问题
最新问题