Question

我在尝试使用通过$ _GET []检索的值时得到并出错，特别是$ start和$ end，我用它来限制结果的数量。每当我对最底层代码中的值进行硬编码时，服务器都会毫无问题地获取结果。为什么我不能使用PHP PDO为MySQL编写的语句将参数传递给Limit？

这是我得到的错误

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0', '20'
                                ORDER by orders.order_placed' at line 10' in /base/data/home/apps/s~beta/1.383539951926438776/admin/get/getorderitems.php:35
Stack trace:
#0 /base/data/home/apps/s~beta/1.383539951926438776/admin/get/getorderitems.php(35): PDOStatement->execute()
#1 {main}
thrown in /base/data/home/apps/s~beta/1.383539951926438776/admin/get/getorderitems.php on line 35



<?php

error_reporting(E_ALL); ini_set('display_errors', 1);

require('../../dbconnect.php');

$stadiums_id = $_GET['stadiums_id'];
$time = $_GET['time'];
$time_12ago = $time - 43200000;  // last 12 hours
$start = 0 + $_GET['start'];  // used for limit clause
$end = $start +  20;
$page = $_GET['page'];

$json;

//  incoming order
if($page === "incoming"){
    $statement=$con->prepare('SELECT orders.*,orders_has_items.*,
                                customers.id,customers.fname,customers.lname,items.*
                                FROM orders_has_items,items,orders,customers 
                                WHERE orders.stadiums_id = :stadiums_id 
                                AND orders_has_items.items_id = items.id
                                AND orders.id = orders_has_items.orders_id
                                AND customers.id = orders.customers_id
                                AND (orders.order_prepared IS NULL) 
                                AND orders.create_time BETWEEN :time_12ago AND :time
                                ORDER by orders.order_placed
                                limit :start, :end');
    $statement->bindParam(':stadiums_id',$stadiums_id); // bind param to variable
    $statement->bindParam(':time_12ago',$time_12ago); // bind param to variable
    $statement->bindParam(':time',$time); // bind param to variable
    $statement->bindParam(':start',$start); // bind param to variable
    $statement->bindParam(':end',$end); // bind param to variable
    $statement->execute();
    $results=$statement->fetchAll(PDO::FETCH_ASSOC);
    $json=json_encode($results);
}

但是，下面的代码在硬编码限制时工作得很好，如下所示

$statement = $con->prepare('SELECT orders.*,orders_has_items.*,
        customers.id,customers.fname,customers.lname,
        items.*
        from orders_has_items,items,orders,customers 
        where orders.stadiums_id = 1 
        and orders_has_items.items_id = items.id
        and orders.id = orders_has_items.orders_id
        and customers.id = orders.customers_id
        and (orders.order_prepared IS NULL) 
        and orders.create_time between (1428735225152-43200000) and 1428735225152
        order by orders.order_placed
        limit 0,10');
$statement->execute();
$results=$statement->fetchALL(PDO::FETCH_ASSOC);
$json = json_encode($results);

Answer 1

默认情况下，bindParam()将参数绑定为字符串。在将值传递给bind函数之前将值转换为整数，并将数据类型设置为PDO::PARAM_INT

$statement->bindParam(':start',(int)$start, PDO::PARAM_INT)); // bind param to variable
$statement->bindParam(':end',(int)$end, PDO::PARAM_INT)); // bind param to variable

没有硬编码Limit子句的值时，PHP MYSQL错误

1 个答案: