Question

這個例子中的mysqli我有一箇舊版本的MySQL代碼的應用程序工作正常：

$query = " 
SELECT * FROM Tutor t 
WHERE 
(t.Tutorusername = '".mysql_real_escape_string($tutorusername)."') 
AND 
(t.Tutorpassword = '".mysql_real_escape_string($tutorpassword)."') 
"; 


$num = mysql_num_rows($result = mysql_query($query)); 


while($row = mysql_fetch_array($result)) 
    { 

    ... 

} 

但我現在wnat從MySQL改變，而使用的mysqli。我的問題是，下面的mysqli代碼與上面的mysql代碼完全正確和相同嗎？

$query = $mysqli->prepare(" 
    SELECT * FROM Tutor t 
    WHERE 
    (t.Tutorusername = '".mysqli_real_escape_string($tutorusername)."') 
    AND 
    (t.Tutorpassword = '".mysqli_real_escape_string($tutorpassword)."') 
    "); 

    $query->bind_result($Tutor); 

    $num = $query->num_rows($result = $query->execute()); 


    while($row = $result->fetch()) 
     { 

... 

} 

Answer 1

這裏不需要使用preapre()，因爲您在連接sql字符串。

$sql="SELECT * FROM Tutor t 
     WHERE 
     t.Tutorusername='".mysqli_real_escape_string($tutorusername)."' 
     AND 
     t.Tutorpassword = '".mysqli_real_escape_string($tutorpassword)."'"); 

$result=$mysqli->query($sql); 
if($result) 
{ 
$row=$result->fetch_row(); 
if($row) 
    print_r($row); 
} 

準備，你必須指定的參數（）方法：

$sql="SELECT * FROM Tutor t 
      WHERE t.Tutorusername=? AND t.Tutorpassword=?"; 

    $stmt=$mysqli->prepare($sql); 
    $stmt->bind_param("s",$tutorusername); 
    $stmt->bind_param("s",$tutorpassword); 

    $stmt->execute(); 

    //I presume that the table "T" has three columns 
    $stmt->bind_result($col1,$col2,$col2); 
    while($stmt->fetch()) 
    { 
    echo "<br/>", $col1,$col2,$col3; 
    } 

PS：閱讀PHP手冊的mysqli API。