1. 首頁
  2. 問答
  3. 如何去執行帶有參數的預準備語句,這個查詢甚至有可能嗎?

如何去執行帶有參數的預準備語句,這個查詢甚至有可能嗎?

2015-11-11 59 views
0

所以我是MySQL和PHP的新手,我已經基於條件構建了一個查詢,因爲我們的數據庫結構有點奇怪。在進一步開發之前,我希望通過使用參數來準備語句來實現查詢,以防止注入。我看了一段使用real_escape_string的視頻可以防止sql注入,所以我的第一個問題是,這足夠嗎?或者是絕對必要的參數。我感覺到他們是。接下來的問題是,我實施這個方法有什麼問題,除了它很長嗎?基本上,表單中有4個下拉菜單,每個下拉菜單包含5個選項,用戶可以從每個下拉菜單中選擇1個選項,然後提交。使用$ _POST變量,我可以從數據庫中想到最好的方式選擇我需要的。所以,如果我已經完成了這個過程沒有任何問題,那麼我的問題是,在哪裏以及如何開始用這個來實現準備好的語句?我研究過它,但很難理解我正在做什麼。我在想,我需要相同的if-else條件來設置參數,但即使如此,我仍然對將它放在哪裏感到困惑。如果有人能幫助我,我會非常感激。謝謝....大的查詢如下:如何去執行帶有參數的預準備語句,這個查詢甚至有可能嗎?

此外,getHourValue()返回一個附加的字符串與查詢seqment取決於$ _POST ['hours']中的值,因爲它是一個非常長的段反覆使用,我把它放在一個函數中。

  if($_POST['category'] == "anywhere") { 
       if($_POST['food'] == "No") { 
        if($_POST['extra'] == "anything") { 
         $sql = "SELECT name, description FROM pubs WHERE (food LIKE '%Yes%' " . getHourValue($_POST['hours']) . ") 
         OR (food LIKE '%No%' " . getHourValue($_POST['hours']) . ")"; 
        } 
        else if($_POST['extra'] == "everything") { 
         $sql = "SELECT name, description FROM pubs WHERE (food LIKE '%Yes%' AND pool LIKE '%Yes%' AND dancing LIKE '%Yes%' AND tv LIKE '%Yes%' " 
           . getHourValue($_POST['hours']) . ") OR (food LIKE '%No%' 
           AND pool LIKE '%Yes%' AND dancing LIKE '%Yes%' AND tv LIKE '%Yes%' " 
           . getHourValue($_POST['hours']) . ")"; 
        } 
        else { 
         $sql = "SELECT name, description FROM pubs WHERE (food LIKE '%Yes%' AND " . $_POST['extra'] . " LIKE '%Yes%' " . getHourValue($_POST['hours']) .") 
         OR (food LIKE '%No%' AND " . $_POST['extra'] . " LIKE '%Yes%' " . getHourValue($_POST['hours']) . ")"; 
        } 
       } 
       else if($_POST['extra'] == "anything") { 
        $sql = "SELECT name, description FROM pubs WHERE food LIKE '%Yes%' " 
          . getHourValue($_POST['hours']); 
       } 
       else if($_POST['extra'] == "everything") { 
        $sql = "SELECT name, description FROM pubs WHERE food LIKE '%Yes%' 
          AND pool LIKE '%Yes%' AND dancing LIKE '%Yes%' AND tv LIKE '%Yes%' " 
          . getHourValue($_POST['hours']); 
       } 
       else { 
        $sql = "SELECT name, description FROM pubs WHERE food LIKE '%Yes%' 
          AND " . $_POST['extra'] . " LIKE '%Yes%' " 
          . getHourValue($_POST['hours']); 
       } 
      } 
      else { 
       if($_POST['food'] == "No") { 
        if($_POST['extra'] == "anything") { 
         $sql = "SELECT name, description FROM pubs WHERE (category LIKE '%" . $_POST['category'] . "%' " . getHourValue($_POST['hours']) . " 
           AND food LIKE '%Yes%') OR (category LIKE '%" . $_POST['category'] . "%' " . getHourValue($_POST['hours']) . " AND food LIKE '%No%')"; 

        } 
        else if($_POST['extra'] == "everything") { 
         $sql = "SELECT name, description FROM pubs WHERE (category LIKE '%" . $_POST['category'] . "%'" 
           . getHourValue($_POST['hours']) . " AND food LIKE '%Yes%' AND pool LIKE '%Yes%' AND dancing LIKE '%Yes%' AND tv LIKE '%Yes%') 
           OR (category LIKE '%" . $_POST['category'] . "%'" 
           . getHourValue($_POST['hours']) . " AND food LIKE '%No%' AND pool LIKE '%Yes%' AND dancing LIKE '%Yes%' AND tv LIKE '%Yes%')"; 
        } 
        else { 
         $sql = "SELECT name, description FROM pubs WHERE (category LIKE '%" . $_POST['category'] . "%' " 
          . getHourValue($_POST['hours']) . " AND food LIKE '%Yes%' AND " . $_POST['extra'] . " LIKE '%Yes%') OR (category LIKE '%" . $_POST['category'] . "%' " . getHourValue($_POST['hours']) . " 
          AND food LIKE '%No%' AND " . $_POST['extra'] . " LIKE '%Yes%')"; 
        } 
       } 
       else if($_POST['extra'] == "anything") { 
        $sql = "SELECT name, description FROM pubs WHERE category LIKE '%" . $_POST['category'] . "%' 
          AND food LIKE '%Yes%' " 
          . getHourValue($_POST['hours']); 
       } 
       else if($_POST['extra'] == "everything") { 
        $sql = "SELECT name, description FROM pubs WHERE category LIKE '%" . $_POST['category'] . "%' 
          AND food LIKE '%Yes%' AND pool LIKE '%Yes%' AND dancing LIKE '%Yes%' AND tv LIKE '%Yes%' " 
          . getHourValue($_POST['hours']); 
       } 
       else { 
        $sql = "SELECT name, description FROM pubs WHERE category LIKE '%" . $_POST['category'] . "%' 
          AND food LIKE '%Yes%' AND " . $_POST['extra'] . " LIKE '%Yes%' " 
          . getHourValue($_POST['hours']); 
       } 
      }

來源

2015-11-11 coopwatts

回答

0

您應該創建某種查詢構建器(或使用框架中的現有構建器)。在上面的代碼中添加準備好的語句使其更加複雜(儘管這不是理由)。

示例:您收集數組中的所有條件,爲每個條件注入佔位符,然後在PDO Statement上綁定這些值。

注意:下面未經測試。

<?php 

$sql = 'SELECT name, description FROM pubs'; 
$where = []; 
$params = []; 

// If condition 
// then add it to where 
// $where[] = '(field1 = :field1)'; 
// $params[':field1'] = $_POST['field1']; 

// If another condition 
// then add to where 
// $where[] = 'field2 = :field2'; 
// $params[':field2'] = $_POST['field2']; 

// Combine where conditions (you may need to implement both AND and OR) 
if (!empty($where)) { 
    $sql .= ' WHERE '.implode(' AND ', $where); 
} 

// Assuming this is your pdo object 
$statement = $pdo->prepare($sql); 

// Bind your parameter values 
if (!empty($params)) { 
    foreach ($params as $key => $value) { 
     $statement->bindValue($key, $value, \PDO::_PARAM_STR); 
    } 
} 

// Then fetch the records 
$statement->execute(); 

$result = $statement->fetchAll(PDO::FETCH_ASSOC); 

var_dump($result);

來源

2015-11-11 06:20:03 Lysender

相關問題

 相關問題