MySQL准备了存储过程中的更新声明

时间:2016-01-04 09:31:40

标签: mysql stored-procedures prepared-statement

我必须更新多个数据库中的多个表记录。当我使用准备好的语句并执行它时它不起作用。但是当我执行该语句时,它可以工作。

set @u = concat("Update `",pDB_NAME,"`.`",pTABLE_NAME,"` set 
        `NAME` ='",pNAME,"',
        `FATHER` ='",pFATHER,"',
        `REGNO` ='",pREGNO,"',
        `SEX` ='",pSEX,"',
        `STATUS` ='",pSTATUS,"',
        `DOB` ='",pDOB,"',
        `DISTT` ='",pDISTT,"',
        `NOC_ISSUED` ='",pNOC_ISSUED,"',
        `ADDRESS` ='",pADDRESS,"',
        `CONTACTNO` ='",pCONTACTNO,"',
        `CNIC` ='",pCNIC,"',
        `FCNIC` ='",pFCNIC,"',
        `SPECIALITY` ='",pSPECIALITY,"',
        `NATIONALITY` ='",pNATIONALITY,"',
        `RELIGION` ='",pRELIGION,"',
        `MEDIUM` ='",pMEDIUM,"',
        `DISTT_CODE` ='",pDISTT_CODE,"',
        `TEH_CODE` ='",pTEH_CODE,"'

          WHERE RNO='",pRNO,"';");
           PREPARE stmt3 FROM @u;

The following statement returns perfect query

   select @u; 

But there is no result of the following section

        EXECUTE stmt3;
        DEALLOCATE PREPARE stmt3;

1 个答案:

答案 0 :(得分:0)

不要通过在引号字符串中用引号括起变量值来引用列值。它很草率,它可以掩盖错误,并打开SQL注入的大门。使用QUOTE()功能。

    ...
    `NAME` =",QUOTE(pNAME),",
    `FATHER` =",QUOTE(pFATHER),",
    `REGNO` =",QUOTE(pREGNO),",
    ...

这种结构也正确地正确处理了转义和NULL值,而天真引用的串联则没有。

http://dev.mysql.com/doc/refman/5.7/en/string-functions.html#function_quote