我必须将PHP变量传递给存储过程调用,该存储过程对我来说是新的,请帮助我。。谢谢!
<?php
include('connection.php');
if(isset($_POST["state_id"]) && !empty($_POST["state_id"]) && isset($_POST["cat_id"]) && !empty($_POST["cat_id"])){
$categoryid=$_POST["cat_id"];
$qttypeid=$_POST["state_id"];
if(($_POST["state_id"]=='1') || ($_POST["state_id"]=='2') ){
$res4=mysqli_query($con,"call PP4($categoryid,$qttypeid)");
echo $res4;
while($res4a=mysqli_fetch_array($res4)){
echo '<option value="'.$res4a['locId'].'">'.$res4a['access'].'</option>';
}
}else{
$res4=mysqli_query($con,"call PP1");
while($res4a=mysqli_fetch_array($res4)){
echo '<option value="'.$res4a['locId'].'">'.$res4a['access'].'</option>';
}
}
}
?>
答案 0 :(得分:0)
打开SQL注入,您将需要使用准备好的语句来清理您的论点。这是处理准备好的语句以调用存储过程的方法。
$connect = new mysqli($servername, $username, $password, $dbname);
// bind the first parameter to the session variable @categoryid
$stmt = $connect->prepare('SET @categoryid := ?');
$stmt->bind_param('s', $categoryid);
$stmt->execute();
// bind the second parameter to the session variable @qttypeid
$stmt = $connect->prepare('SET @qttypeid := ?');
$stmt->bind_param('s', $qttypeid);
$stmt->execute();
// execute the stored Procedure
$result = $connect->query('call PP4(@categoryid, @qttypeid, @msg)');
// getting the value of the OUT parameter
$result = $mysqli->query('SELECT @msg as _output');
$row = $result->fetch_assoc();
echo $row['_output'];