转换为mysql准备好的声明

时间:2016-10-04 06:37:41

标签: php mysql codeigniter

我正在尝试研究预处理语句在MySQL中是如何工作的,我被告知我使用的所有代码都容易受到MySQL注入,我使用codeigniter php模型编写这样的mysql查询代码,例如。

public function getOpenLoans($id){
            $query = 'select a.Amount as OpenLoanAmount , a.monthly_amortization as totalInstallment
                      from useropenloan a 
                      where a.Owner = ' .$id. ' and UPDATE_DT is null' ; 

            $query = $this->db->query($query);
            $result = $query->result();
            return $result;
        }

基本上有一些信息,但我真正想知道的是如何 将它转换为准备好的mysql语句,我尝试在stackoverflow和一些youtube教程中使用不同的方法,但它们不起作用,所以有人可以帮我在准备好的sql语句中编写这段代码。

我以这种方式尝试了

$stmt = $conn->prepare(select a.Amount as OpenLoanAmount , a.monthly_amortization as totalInstallment
                          from useropenloan a 
                          where a.Owner = :id and UPDATE_DT is null);
$stmt->bindParam(':id', $id);
$stmt->execute();

1 个答案:

答案 0 :(得分:1)

public function getOpenLoans($id){
  $sql = "select a.Amount as OpenLoanAmount , a.monthly_amortization as totalInstallment from useropenloan a where a.Owner = ? and UPDATE_DT is null";
  $query = $this->db->query($sql, array($id));
  $result - $query->result();
  return $result;
}