1. 首頁
  2. 問答
  3. 使用PDO自定義MySql查詢

使用PDO自定義MySql查詢

2014-01-29 113 views
0

我正在使用關鍵字搜索($wordsToSearch)或某些類別標籤詞($tagsToSearch)完全查詢我的數據庫,如果有的話。
這是我的功能,它不安全,因爲我使用concat來添加查詢的一部分。我應該如何使用PDO過濾變量,然後在需要時添加查詢的一部分?
感謝大家使用PDO自定義MySql查詢

$wordsToSearch = " "; 
$tagsToSearch = " "; 

if(is_string($search)){ 
    $wordsToSearch = "WHERE (
          `artist_nm` LIKE '%".$search."%' 
          OR `place` LIKE '%".$search."%' 
          )"; 
} 
if(is_string($searchtags)){ 
    $arrayTags = explode(',', $searchtags); 
    $tagsToSearch = "HAVING (
          `tags` LIKE '%".$arrayTags[0]."%' "; 
    foreach ($arrayTags as $key => $value) { 
     if($key != 0 && $key <= 20) { 
      $tagsToSearch .= "OR `tags` LIKE '%".$value."%' "; 
     } 
    } 
    $tagsToSearch .= ")"; 

} 

$database->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
$STH = $database->prepare('SELECT id, lat, lng, CONCAT_WS( "/&/", total, tags) AS data 
    FROM (SELECT lat, lng, id, CONCAT_WS( "/&/", img_link, artist_nm, page_link, place, Total_Rating, Rating_Number) AS total, GROUP_CONCAT(tag_name 
    SEPARATOR ",") AS tags 
    FROM images 
    LEFT OUTER JOIN tbl_places ON images.id = tbl_places.KE_img 
    LEFT OUTER JOIN rel_tags ON images.id = rel_tags.Id_immagine 
    LEFT OUTER JOIN tags ON tags.Id_tag = rel_tags.Id_tag 
    '.$wordsToSearch.' 
    GROUP BY id '.$tagsToSearch.' 
    ) AS subquery 
    '); 
try { 
    $STH->execute(); 
} catch(PDOException $e){ 
    echo $e->getMessage(); 
    die(); 
}

來源

2014-01-29 user3248112

回答

0

您正在尋找準備請求。你必須把與prepare()方法編譯一些參數查詢:

<?php 

// With placeholders 
$sth = $database->prepare('SELECT * FROM table WHERE id = ?'); 

// With named parameters 
$sth = $database->prepare('SELECT * FROM table WHERE id = :id'); 

?>

然後你就可以使用​​方法執行查詢:

<?php 

// With placeholders 
$sth->bindParam(1, $yourId, PDO::PARAM_INT); 
$sth->execute(); 
// or 
$sth->execute(array($yourId)); 

// With named parameters 
$sth->bindParam(':id', $yourId, PDO::PARAM_INT); 
$sth->execute(); 
// or 
$sth->execute(array(':id' => $yourId)); 

?>

編輯:

當然,你可以放置多個參數:

<?php 

// With placeholders 
$sth = $database->prepare('SELECT * FROM table WHERE username = ? AND password = ?'); 
$sth->bindParam(1, $username, PDO::PARAM_STR); 
$sth->bindParam(2, $password, PDO::PARAM_STR); 
$sth->execute(); 
// or 
$sth->execute(array($username, $password)); 


// With named parameters 
$sth = $database->prepare('SELECT * FROM table WHERE username = :username AND password = :password'); 
$sth->bindParam(':username', $username, PDO::PARAM_STR); 
$sth->bindParam(':password', $password, PDO::PARAM_STR); 
$sth->execute(); 
// or 
$sth->execute(array(':username' => $username, ':password' => $password)); 

?>

更多的信息在the documentation

來源

2014-01-29 10:05:53 Happy

相關問題

 相關問題