我只是在阅读了SQL注入攻击后编辑了我的搜索脚本。我正在尝试使用PDO而不是常规的mysql连接从我的脚本中获取相同的功能。所以我一直在阅读有关PDO的其他帖子,但我不确定。这两个脚本会提供相同的功能吗?
使用PDO:
$pdo = new PDO('mysql:host=$host; dbname=$database;', $user, $pass);
$stmt = $pdo->prepare('SELECT * FROM auction WHERE name = :name');
$stmt->bindParam(':name', $_GET['searchdivebay']);
$stmt->execute(array(':name' => $name);
使用常规mysql:
$dbhost = @mysql_connect($host, $user, $pass) or die('Unable to connect to server');
@mysql_select_db('divebay') or die('Unable to select database');
$search = $_GET['searchdivebay'];
$query = trim($search);
$sql = "SELECT * FROM auction WHERE name LIKE '%" . $query . "%'";
if(!isset($query)){
echo 'Your search was invalid';
exit;
} //line 18
$result = mysql_query($trim);
$numrows = mysql_num_rows($result);
mysql_close($dbhost);
我继续使用常规示例来使用
while($i < $numrows){
$row = mysql_fetch_array($result);
从数据库创建匹配结果的数组。如何使用PDO执行此操作?
答案 0 :(得分:61)
查看PDOStatement.fetchAll
方法。您还可以在迭代器模式中使用fetch
。
来自PHP文档的fetchAll
的代码示例:
<?php
$sth = $dbh->prepare("SELECT name, colour FROM fruit");
$sth->execute();
/* Fetch all of the remaining rows in the result set */
print("Fetch all of the remaining rows in the result set:\n");
$result = $sth->fetchAll(\PDO::FETCH_ASSOC);
print_r($result);
结果:
Array
(
[0] => Array
(
[NAME] => pear
[COLOUR] => green
)
[1] => Array
(
[NAME] => watermelon
[COLOUR] => pink
)
)
答案 1 :(得分:7)
有三种方法可以获取PDO语句返回的多行。
最简单的就是迭代PDOStatement本身:
$stmt = $pdo->prepare("SELECT * FROM auction WHERE name LIKE ?")
$stmt->execute(array("%$query%"));
// iterating over a statement
foreach($stmt as $row) {
echo $row['name'];
}
另一个是在熟悉的while语句中使用fetch()方法获取行:
$stmt = $pdo->prepare("SELECT * FROM auction WHERE name LIKE ?")
$stmt->execute(array("%$query%"));
// using while
while($row = $stmt->fetch()) {
echo $row['name'];
}
但对于现代Web应用程序,我们应该将数据库迭代与输出分开,因此最方便的方法是使用fetchAll()方法一次获取所有行:
$stmt = $pdo->prepare("SELECT * FROM auction WHERE name LIKE ?")
$stmt->execute(array("%$query%"));
// fetching rows into array
$data = $stmt->fetchAll();
然后在模板中输出它们:
<ul>
<?php foreach($data as $row): ?>
<li><?=$row['name']?></li>
<?php endforeach ?>
</ul>
请注意,PDO支持many sophisticated fetch modes, allowing fetchAll() to return data in many different formats。
答案 2 :(得分:-2)
$st = $data->prepare("SELECT * FROM exampleWHERE example LIKE :search LIMIT 10");