我正在尝试研究预处理语句在MySQL中是如何工作的,我被告知我使用的所有代码都容易受到MySQL注入,我使用codeigniter php模型编写这样的mysql查询代码,例如。
public function getOpenLoans($id){
$query = 'select a.Amount as OpenLoanAmount , a.monthly_amortization as totalInstallment
from useropenloan a
where a.Owner = ' .$id. ' and UPDATE_DT is null' ;
$query = $this->db->query($query);
$result = $query->result();
return $result;
}
基本上有一些信息,但我真正想知道的是如何 将它转换为准备好的mysql语句,我尝试在stackoverflow和一些youtube教程中使用不同的方法,但它们不起作用,所以有人可以帮我在准备好的sql语句中编写这段代码。
我以这种方式尝试了
$stmt = $conn->prepare(select a.Amount as OpenLoanAmount , a.monthly_amortization as totalInstallment
from useropenloan a
where a.Owner = :id and UPDATE_DT is null);
$stmt->bindParam(':id', $id);
$stmt->execute();
答案 0 :(得分:1)
public function getOpenLoans($id){
$sql = "select a.Amount as OpenLoanAmount , a.monthly_amortization as totalInstallment from useropenloan a where a.Owner = ? and UPDATE_DT is null";
$query = $this->db->query($sql, array($id));
$result - $query->result();
return $result;
}