我目前停留在将以下SQL查询转换为预准备语句。
$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));
$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE $dateswitch1 AND $dateswitch2 BETWEEN StartDate AND EndDate");
E.g。工作代码$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE '2004-07-22' AND '2016-05-20' BETWEEN StartDate AND EndDate");
代码示例:
$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));
$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE ? AND ? BETWEEN StartDate AND EndDate");
$securesqlstring->bindParam(1,$dateswitch1);
$securesqlstring->bindParam(2,$dateswitch2);
$securesqlstring->execute();
目前无效。
处理另一个项目的工作更新语句示例我想将上面的SQL查询转换为类似下面的示例:
$id = $_POST["id"];
$stocklevel = $_POST["stocklevel"];
$XSS_Block1 = htmlentities ($id, ENT_QUOTES, "UTF-8");
$XSS_Block2 = htmlentities ($stocklevel, ENT_QUOTES, "UTF-8");
$conn = new PDO("mysql:host=localhost;dbname=;","","");
$mattssqlstring = $conn->prepare("UPDATE `products` SET stocklevel=stocklevel-? WHERE ID=? and stocklevel = ?");
$mattssqlstring->bindParam(1,$XSS_Block2);
$mattssqlstring->bindParam(2,$XSS_Block1);
$mattssqlstring->bindParam(3,$XSS_Block2);
$mattssqlstring->execute();
答案 0 :(得分:2)
$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$securesqlstring = $secureconn->prepare("SELECT * FROM `Lateday` WHERE STR_TO_DATE(:date1,'%d-%m-%Y') AND STR_TO_DATE(:date2,'%d-%m-%Y') BETWEEN `StartDate` AND `EndDate`");
$mattssqlstring->bindParam(':date1',$XSS_BLOCK2);
$mattssqlstring->bindParam(':date2',$XSS_BLOCK3);
$securesqlstring->execute();