我有一个旧的mysql代码,它在应用程序中正常工作:
$query = "
SELECT * FROM Tutor t
WHERE
(t.Tutorusername = '".mysql_real_escape_string($tutorusername)."')
AND
(t.Tutorpassword = '".mysql_real_escape_string($tutorpassword)."')
";
$num = mysql_num_rows($result = mysql_query($query));
while($row = mysql_fetch_array($result))
{
...
}
但我现在想从Mysql改变而不是使用mysqli。我的问题是,下面的mysqli代码是否完全正确,并且与上面的mysql代码相同?
$query = $mysqli->prepare("
SELECT * FROM Tutor t
WHERE
(t.Tutorusername = '".mysqli_real_escape_string($tutorusername)."')
AND
(t.Tutorpassword = '".mysqli_real_escape_string($tutorpassword)."')
");
$query->bind_result($Tutor);
$num = $query->num_rows($result = $query->execute());
while($row = $result->fetch())
{
...
}
答案 0 :(得分:2)
这里不需要使用preapre()因为你正在连接sql字符串。
$sql="SELECT * FROM Tutor t
WHERE
t.Tutorusername='".mysqli_real_escape_string($tutorusername)."'
AND
t.Tutorpassword = '".mysqli_real_escape_string($tutorpassword)."'");
$result=$mysqli->query($sql);
if($result)
{
$row=$result->fetch_row();
if($row)
print_r($row);
}
对于prepare()方法,您必须指定参数:
$sql="SELECT * FROM Tutor t
WHERE t.Tutorusername=? AND t.Tutorpassword=?";
$stmt=$mysqli->prepare($sql);
$stmt->bind_param("s",$tutorusername);
$stmt->bind_param("s",$tutorpassword);
$stmt->execute();
//I presume that the table "T" has three columns
$stmt->bind_result($col1,$col2,$col2);
while($stmt->fetch())
{
echo "<br/>", $col1,$col2,$col3;
}
PS:阅读mysqli API的PHP手册。