我一直在尝试使参数化预处理语句起作用。第一个函数仅显示带有列名称的标题行,并且不显示任何日期。第二 function提供所有请求的数据。不同之处在于第一个使用参数,第二个仅使用连接字符串。第一个中的select语句 函数用于调试目的,任何变量都没有NULL字符串。
我想让参数化版本正常工作,我将不胜感激。
我已经检查了这些stackoverflow答案,Multiple Parameters,mysql Prepare Statement,Internals of prepared statement,unable to create prepared statements(可能是我的问题的答案)。
-- -----------------------------------------------------
-- procedure getAllBookDataWhere2
-- -----------------------------------------------------
USE `booklibinventory`;
DROP procedure IF EXISTS `booklibinventory`.`getAllBookDataWhere2`;
DELIMITER $$
USE `booklibinventory`$$
CREATE PROCEDURE `getAllBookDataWhere2`
(
IN whereStr VARCHAR(256)
)
BEGIN
DECLARE finalQuery VARCHAR(4096);
DECLARE selectedFields, leftJoinTables, joinOnFields VARCHAR(1024);
DECLARE whereClause, orderByClause VARCHAR(256);
SET @selectedFields = allBooksSelectFields();
SET @jointTables4Query = allBooksDataTables();
-- orderBy may become a parameter in the future.
SET @orderByClause = ' a.LastName, a.FirstName, s.SeriesName, v.VolumeNumber, t.TitleStr';
SET @whereclause = whereStr;
-- @selectedFields and @jointTables4Query are concatenated because they don't change,
-- @whereClause and @orderByClause can change and therefore are parameters.
SELECT @orderByClause;
SELECT @whereClause;
SET @finalQuery = CONCAT('SELECT ', @selectedFields);
SET @finalQuery = CONCAT(@finalQuery, ' FROM bookinfo AS BKI ');
SET @finalQuery = CONCAT(@finalQuery, @jointTables4Query);
SET @finalQuery = CONCAT(@finalQuery, ' WHERE ? ORDER BY ? ;');
SELECT @finalQuery;
PREPARE stmt FROM @finalQuery;
EXECUTE stmt USING @whereClause, @orderByClause;
DEALLOCATE PREPARE stmt;
END$$
DELIMITER ;
-- -----------------------------------------------------
-- procedure getAllBookDataWhere
-- -----------------------------------------------------
USE `booklibinventory`;
DROP procedure IF EXISTS `booklibinventory`.`getAllBookDataWhere`;
DELIMITER $$
USE `booklibinventory`$$
CREATE PROCEDURE `getAllBookDataWhere`
(
IN whereStr VARCHAR(256)
)
BEGIN
DECLARE finalQuery VARCHAR(4096);
DECLARE selectedFields, leftJoinTables, joinOnFields VARCHAR(1024);
DECLARE whereClause, orderByClause VARCHAR(256);
SET @selectedFields = allBooksSelectFields();
SET @jointTables4Query = allBooksDataTables();
-- orderBy may become a parameter in the future.
SET @orderByClause = ' ORDER BY a.LastName, a.FirstName, s.SeriesName, v.VolumeNumber, t.TitleStr;';
SET @whereclause = CONCAT(' WHERE ', whereStr);
-- @selectedFields and @jointTables4Query are concatenated because they don't change,
-- @whereClause and @orderByClause can change and therefore are parameters.
SET @finalQuery = CONCAT('SELECT ', @selectedFields);
SET @finalQuery = CONCAT(@finalQuery, ' FROM bookinfo AS BKI ');
SET @finalQuery = CONCAT(@finalQuery, @jointTables4Query);
SET @finalQuery = CONCAT(@finalQuery, @whereClause);
SET @finalQuery = CONCAT(@finalQuery, @orderByClause);
PREPARE stmt FROM @finalQuery;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END$$
DELIMITER ;
答案 0 :(得分:0)
参数用于值,而不是整个子句。您的WHERE和ORDER BY子句实际上是WHERE 'somestring'和ORDER BY 'somestring'(请注意引号)。
另外,如果我没记错的话,EXECUTEd语句不会将结果集添加到过程的返回结果中;通常,执行最终需要成为临时表的insert select,程序可以在退出之前直接从中选择。
编辑:由于您已经将查询连接在一起,因此您可以直接替换您的?占位符... WHERE ', @whereClause, ' ORDER BY ', @orderByClause, ';');
参数不能保护您不让原始sql成为用户"提供。