您好我正在尝试学习使用预准备语句以避免SQL注入等的正确方法。
当我执行脚本时,我从我的脚本中收到一条消息,说0行插入,我希望这可以说1行插入,当然更新表。我对我准备好的陈述并不完全确定,因为我做了一些研究,我的意思是它因例子而异。
当我更新我的表时,我是否需要声明所有字段或者只更新一个字段?
任何信息都会非常有用。
的index.php
<div id="status"></div>
<div id="maincontent">
<?php //get data from database.
require("classes/class.Scripts.inc");
$insert = new Scripts();
$insert->read();
$insert->update();?>
<form action="index2.php" enctype="multipart/form-data" method="post" name="update" id="update">
<textarea name="content" id="content" class="detail" spellcheck="true" placeholder="Insert article here"></textarea>
<input type="submit" id="update" name="update" value="update" />
</div>
类/ class.Scripts.inc
public function update() {
if (isset($_POST['update'])) {
$stmt = $this->mysqli->prepare("UPDATE datadump SET content=? WHERE id=?");
$id = 1;
/* Bind our params */
$stmt->bind_param('is', $id, $content);
/* Set our params */
$content = isset($_POST['content']) ? $this->mysqli->real_escape_string($_POST['content']) : '';
/* Execute the prepared Statement */
$stmt->execute();
printf("%d Row inserted.\n", $stmt->affected_rows);
}
}
答案 0 :(得分:25)
$stmt = $this->mysqli->prepare("UPDATE datadump SET content=? WHERE id=?");
/* BK: always check whether the prepare() succeeded */
if ($stmt === false) {
trigger_error($this->mysqli->error, E_USER_ERROR);
return;
}
$id = 1;
/* Bind our params */
/* BK: variables must be bound in the same order as the params in your SQL.
* Some people prefer PDO because it supports named parameter. */
$stmt->bind_param('si', $content, $id);
/* Set our params */
/* BK: No need to use escaping when using parameters, in fact, you must not,
* because you'll get literal '\' characters in your content. */
$content = $_POST['content'] ?: '';
/* Execute the prepared Statement */
$status = $stmt->execute();
/* BK: always check whether the execute() succeeded */
if ($status === false) {
trigger_error($stmt->error, E_USER_ERROR);
}
printf("%d Row inserted.\n", $stmt->affected_rows);
回答你的问题:
我从我的脚本中收到一条消息,说0行已插入
这是因为您在绑定参数时反转了参数的顺序。所以你在id列中搜索$ content的数值,这可能被解释为0.所以UPDATE的WHERE子句匹配零行。
我是否需要声明所有字段,或者只更新一个字段?
在UPDATE语句中只设置一列是可以的。其他栏目不会更改。
答案 1 :(得分:3)
事实上,准备好的陈述并不像大家想的那么复杂。相反,基于准备语句的代码是执行查询的最简单和最简洁的方法。以您的代码为例。
public function update($content, $id) {
$stmt = $this->mysqli->prepare("UPDATE datadump SET content=? WHERE id=?");
$stmt->bind_param('si', $content, $id);
$stmt->execute();
return $stmt->affected_rows;
}
正如您所看到的,如果使用得当,代码可以非常简单和简洁!
您基本上只需要三行:
简单到1-2-3!
请注意,您不必手动检查每个功能的结果,而是可以set the reporting mode for mysqli一次。为此,请在mysqli_connect() / new mysqli之前添加以下行:
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
结果与trigger_error几乎相同,但没有一行额外的代码!
答案 2 :(得分:-2)
我想清理Bill Karwin的出色代码
$stmt = $this->mysqli->prepare("UPDATE datadump SET content=? WHERE id=?") or die ($this->mysqli->error);
$id = 1;
// Bind our params
// BK: variables must be bound in the same order as the params in your SQL.
// Some people prefer PDO because it supports named parameter.
$stmt->bind_param('si', $content, $id) or die ($stmt->error);
// Set our params
// BK: No need to use escaping when using parameters, in fact, you must not,
// because you'll get literal '\' characters in your content. */
$content = (string)$_POST['content'] ?: '';
/* Execute the prepared Statement */
$status = $stmt->execute() or die ($stmt->error);
printf("%d Row inserted.\n", $stmt->affected_rows);
我建议使用“或死”代替if子句 我建议强制变量类型采用值:
// If id brings value: '12abc', PHP automatically stops it at 12
$id = (int)$_ POST ["id"];