我必须更新多个数据库中的多个表记录。当我使用准备好的语句并执行它时它不起作用。但是当我执行该语句时,它可以工作。
set @u = concat("Update `",pDB_NAME,"`.`",pTABLE_NAME,"` set
`NAME` ='",pNAME,"',
`FATHER` ='",pFATHER,"',
`REGNO` ='",pREGNO,"',
`SEX` ='",pSEX,"',
`STATUS` ='",pSTATUS,"',
`DOB` ='",pDOB,"',
`DISTT` ='",pDISTT,"',
`NOC_ISSUED` ='",pNOC_ISSUED,"',
`ADDRESS` ='",pADDRESS,"',
`CONTACTNO` ='",pCONTACTNO,"',
`CNIC` ='",pCNIC,"',
`FCNIC` ='",pFCNIC,"',
`SPECIALITY` ='",pSPECIALITY,"',
`NATIONALITY` ='",pNATIONALITY,"',
`RELIGION` ='",pRELIGION,"',
`MEDIUM` ='",pMEDIUM,"',
`DISTT_CODE` ='",pDISTT_CODE,"',
`TEH_CODE` ='",pTEH_CODE,"'
WHERE RNO='",pRNO,"';");
PREPARE stmt3 FROM @u;
The following statement returns perfect query
select @u;
But there is no result of the following section
EXECUTE stmt3;
DEALLOCATE PREPARE stmt3;
答案 0 :(得分:0)
不要通过在引号字符串中用引号括起变量值来引用列值。它很草率,它可以掩盖错误,并打开SQL注入的大门。使用QUOTE()功能。
...
`NAME` =",QUOTE(pNAME),",
`FATHER` =",QUOTE(pFATHER),",
`REGNO` =",QUOTE(pREGNO),",
...
这种结构也正确地正确处理了转义和NULL值,而天真引用的串联则没有。
http://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_quote