1. 首頁
  2. 問答
  3. 轉換爲mysqli從程序文件中準備的語句

轉換爲mysqli從程序文件中準備的語句

2014-01-13 23 views
2

我需要以下代碼的幫助才能將其從「程序」語句改爲「準備語句」。我會盡我所能來編寫它:轉換爲mysqli從程序文件中準備的語句

默認程序腳本的mysqli默認

<?php 
$conn = mysqli_connect ('localhost', 'gggggg', 'gggggg') ; 
mysqli_select_db ($conn, 'ggggg'); 

$anti_injection = mysqli_real_escape_string($_GET['user']); 

$sql = "SELECT * FROM profiles WHERE username =".$anti_injection); 
$result = mysqli_query($conn, $query); 

while($row = mysqli_fetch_array($sql)) { 

$username = stripslashes($row['username']); 
$age = stripslashes($row['age']); 
$gender = stripslashes($row['gender']); 
?> 


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>title</title> 
</head> 

<body> 
CUSTOM HTML FOR A NICE DESIGN I WANT TO KEEP THE SAME DESIGN LAYOUT ETC... 

    CATEGORY <?php echo $username; ?> 
    TITEL <?php echo $age; ?> 
    CONTENT <?php echo $sex; ?> 

</body> 
</html> 
<?php 
} 
?>

現在我的變化命令語句希望工程

$query = $sql->prepare("SELECT * FROM profiles WHERE `username`=?") 
$prep->bind_param("s",$anti_injection); 
$prep->execute();

這就是我所知道的對於在安全模式下的SELECT,但隨後與MYSQLI_FETCH_ARRAY我真的不知道它會工作,並希望如果有機會保持劇本我喜歡的方式與ech操作系統之間的HTML身體頁面

一些例子如何做它必須完成?

來源

2014-01-13 Firefighter

+0

我不知道什麼是$ prep變量? –

+0

http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php –

+0

甚至沒有我知道。我只是從另一個例子中複製他們,我試圖找出它是如何完成沒有運氣:( – Firefighter

回答

1

首先,我高度建議你不要混合程序與對象。它會以這種方式更快地混淆。考慮使用mysqli對象。

$mysqli = new mysqli('localhost'...);

其次,你接近,但正如我所說,你是混合對象和程序,所以你已經改變了它不會工作方式。另外,你會在各地彈跳變量(如果你原始執行更改會失敗)。假設你切換到mysqli對象正如上文所述,你可以做到這一點

$prep = $mysqli->prepare("SELECT * FROM profiles WHERE `username`=?"); 
$prep->bind_param("s",$anti_injection); 
$prep->execute();

現在,下一部分是棘手的。您必須安裝mysqlnd才能完成此操作,但這是獲取結果的最佳方法。如果你運行這個並獲得有關get_result是丟失的錯誤,你沒有運行mysqlnd

$result = $prep->get_result(); 
while($row = $result->fetch_array()) { 
    //Your HTML loop here 
}

來源

2014-01-13 02:00:49 Machavity

+0

我會嘗試看看它是否啓用ty m8 – Firefighter

+0

沒有運氣致命錯誤:調用未定義的方法mysqli_stmt: :get_result() – Firefighter

+0

那麼主要是無賴。如果你不能改變你的服務器環境,你將不得不使用相當笨重的[bind_result](http://us3.php.net/manual/en/mysqli-stmt.bind-result.php) – Machavity

0

你可以那樣做

$link = mysqli_connect("localhost", "my_user", "my_password", "db"); //Establishing connection to the database , this is alias of new mysqli('') 
$query="SELECT * FROM profiles WHERE `username`=?"; 
$stmt = $link->prepare($query); 
$stmt->bind_param("s",$anti_injection); // binding the parameter to it 
$stmt->execute(); //Executing 
$result = $stmt->get_result(); 
while($row = $result->fetch_array(MYSQLI_ASSOC)) // we used MYSQLI_ASSOC flag here you also can use MYSQLI_NUM or MYSQLI_BOTH 
{ 
//Do stuff 
}

來源

2014-01-13 02:06:01

+0

我會現在給它一個測試,想知道爲什麼#查詢=「選擇*從配置文件WHERE'用戶名'=?」你編輯了#符號 – Firefighter

+0

對不起,這是一個錯字,我現在會修復它 –

+0

嘗試過它,甚至Dreamweaver給我一個類似的查詢錯誤從配置文件中選擇...這似乎是一些符號丟失 – Firefighter

0

如果找你學習我鼓勵你使用Object Oriented Style

Manual是第一個資源,您可以找到最準確的信息。以你爲例:

$mysqli = new mysqli("example.com", "user", "password", "database"); 
if ($mysqli->connect_errno) { 
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error; 
} 

//Here you avoid the warning undefine variable if $_GET['user'] ins't set 
$user = isset($_GET['user']) ? $_GET['user'] : NULL; 
$row = array(); 

//Checking if $user is NULL 
if(!empty($user)){ 
    // Prepared statement, stage 1: prepare 
    if (!($stmt = $mysqli->prepare("SELECT * FROM profiles WHERE `username`=?"))) { 
    echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error; 
    } 
    /* Prepared statement, stage 2: bind and execute */ 
    if (!$stmt->bind_param("s", $user)) { 
    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error; 
    } 
    if (!$stmt->execute()) { 
    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error; 
    } 
    //Fetching the result 
    $res = $stmt->get_result(); 
    $row = $res->fetch_assoc(); 
    /* explicit close recommended */ 
    $stmt->close(); 
}else{ 
//do this code if $user is null 
} 


//Printing out the result 
echo '<pre>'; 
print_r($row); 
echo '</pre>';

來源

2014-01-13 02:32:29

0

我提供了一個腳本,基於你的,我已經評論,測試,並使用過程'mysqli'。希望它能澄清事情。

<?php 
/* (PHP 5.3.18 on XAMPP, windows XP) 
* 
* I will use the procedural 'mysqli' functions in this example as that is 
* what you seem familiar with. 
* 
* However, the 'object oriented' style is preferred currently. 
* 
* It all works fine though :-) 
* 
* I recommend PDO (PHP Data Objects) as the way to go for Database access 
* as it provides a 'common' interface to many database engines. 
*/ 


// this is an example 'select' parameter -- how this value gets set is up to you... 
// use a form, get parameter or other, it is not important. 

$bindparamUsername = 'user_2'; // example!!!! 

// connect to the database... 
$dbConnection = mysqli_connect('localhost', 'test', 'test'); // connect 
mysqli_select_db($dbConnection, 'testmysql'); // my test database 


// the SQL Query... 

// the '?' is a placeholder for a value that will be substituted when the query runs. 
// Note: the ORDER of the selected Columns is important not the column names. 
// 
// Note: The number of selected columns is important and must match the number of 
// 'result' bind variables used later. 

$sql = "SELECT username, age, gender FROM profiles WHERE username = ?"; 

// DB engine: parse the query into an internal form that it understands 
$preparedQuery = mysqli_prepare($dbConnection, $sql); 

// bind an actual input PHP variable to the prepared query so the db will have all required values 
// when the query is executed. 
// 
mysqli_stmt_bind_param($preparedQuery, 's', $bindparamUsername); 

// run the query... 
$success = mysqli_execute($preparedQuery); 


// You can only bind which variables to store the result columns in AFTER the query has run! 
// 

// Now bind where any results from the query will be returned... 
// There must be as many 'bind' variables as there are selected columns! 
// This is because each column value from the query will be returned into the 
// 'bound' PHP variable. 
// 
// Note: You cannot bind to an array. You must bind to an individual PHP variable. 
// 
// I have kept the same names but they are only of use to you. 
$fetchedRow = array('username' => null, 
        'age'  => null, 
        'gender' => null); 


/* 
* Note: order of columns in the query and order of destination variables in the  'bind' statement is important. 
* 
* i.e. $fetchedRow[username] could be replaced with variable $firstColumn, 
*  $fetchedRow[age] could be replaces with variable $secondColumn 
* and so on... 
*  
* There must be as many bind variables as there are columns.    
*/ 
mysqli_stmt_bind_result($preparedQuery, $fetchedRow['username'], 
             $fetchedRow['age'], 
             $fetchedRow['gender']); 

/* 
* Note: if you use the 'Object Oriented' version of 'mysqli': All of this is 'hidden' 
*  but still happens 'behind the scenes'! 
* 
*/ 
?> 

<!DOCTYPE html> 
<html> 
    <head> 
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 
    <title></title> 
    </head> 
    <body> 
    CUSTOM HTML FOR A NICE DESIGN I WANT TO KEEP THE SAME DESIGN LAYOUT ETC... 

    <?php // each 'fetch' updates the $fetchedRow PHP variable... ?> 
    <?php while (mysqli_stmt_fetch($preparedQuery)): ?> 
     <br /> 
     CATEGORY <?php echo $fetchedRow['username']; ?> 
     <br /> 
     TITEL <?php echo $fetchedRow['age']; ?> <br /> 
     CONTENT <?php echo $fetchedRow['gender']; ?> <br /> 
    <?php endwhile ?> 

    </body> 
</html>

來源

2014-01-13 18:12:59

+0

我會測試它,但看起來真的intesresting和容易低估,非常感謝您的時間 – Firefighter

+0

有錯誤請看http://chilecell.com/BOMBERIL/cague.php?username=juan – Firefighter

相關問題

 相關問題