如何创建准备好的语句来替换 mysqli_query?
How to create a prepared statement to replace mysqli_query?
我正在尝试将 SQL 查询的这一部分变成一个准备好的语句,但是它有相关的函数调用它的结果,所以我很难把它全部捆绑起来,所以这里是
这是 SQL 语句:
{
$name = explode(' ', $key, 2); // Break String into Array.
if(empty($name[1])) {
$sql = "SELECT *
FROM users
WHERE users.user_firstname = '$name[0]'
OR users.user_lastname= '$name[0]'";
} else {
$sql = "SELECT *
FROM users
WHERE users.user_firstname = '$name[0]'
AND users.user_lastname= '$name[1]'";
}
include 'includes/userquery.php';
}
调用它的函数:
$query = mysqli_query($conn, $sql);
if(mysqli_num_rows($query) == 0){
echo '<div class="post">';
echo 'There is no results given the keyword, try to widen your search query.';
echo '</div>';
echo '<br>';
}
while($row = mysqli_fetch_assoc($query)){
include 'includes/post.php';
echo '<br>';
}
我尝试了一些将查询转换为准备好的方法,但我收到诸如 ?未识别占位符或函数接收 bool
如果在使用 $name 数组中的正确值开始查询之前首先加载 2 个变量,则可以简化整个过程。
然后对查询进行简单更改以使其参数化和可绑定,您就可以准备、绑定和执行查询
然后对获取过程进行一个小的更改就可以让你离开 运行
{
$name = explode(' ', $key, 2); // Break String into Array.
if(empty($name[1])) {
$n1 = $name[0];
$n2 = $name[0];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
OR users.user_lastname= ?";
} else {
$n1 = $name[0];
$n2 = $name[1];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
AND users.user_lastname= ?";
}
$stmt = $conn->prepare($sql);
$stmt->bind_param('ss', $n1,$n2);
$result = $stmt->execute();
$query = $stmt->get_result();
include 'includes/userquery.php';
}
函数(我假设这就是包含的内容)将变为
if($query->num_rows == 0){
echo '<div class="post">';
echo 'There is no results given the keyword, try to widen your search query.';
echo '</div>';
echo '<br>';
}
while($row = $query->fetch_assoc()){
include 'includes/post.php';
echo '<br>';
}
他们使用 include 的方式是 non-standard,通常 include 是在文件的顶部完成的,只有当被包含的文件 returns 在代码中间调用它的东西时,这种方式就像复制将代码粘贴到特定块,这确实有效,但它会导致混淆,就像你在 includes/userquery.php 中有变量 $sql 但它来自哪里?它没有在该文件中定义,甚至没有包含,现在当您编写代码时您知道,但以后您将无法记住。最好使用包含在文件顶部的函数,然后在您需要该功能的地方调用并将数据作为参数传递,这样一来就很清楚发生了什么。现在让我们看看您可以使用当前代码做什么:
{
$name = explode(' ', $key, 2); // Break String into Array.
if(empty($name[1])) {
$sql_param_types = 'ss';
$sql_params = [$name[0], $name[0]];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
OR users.user_lastname= ?";
} else {
$sql_param_types = 'ss';
$sql_params = [$name[0], $name[1]];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
AND users.user_lastname= ?";
}
include 'includes/userquery.php';
}
userquery.php:
$stmt = mysqli_prepare($conn, $sql);
$stmt->bind_param($sql_param_types, ...$sql_params);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows == 0){
echo '<div class="post">';
echo 'There is no results given the keyword, try to widen your search query.';
echo '</div>';
echo '<br>';
}
while($row = $result->fetch_assoc()){
include 'includes/post.php';
echo '<br>';
}
我正在尝试将 SQL 查询的这一部分变成一个准备好的语句,但是它有相关的函数调用它的结果,所以我很难把它全部捆绑起来,所以这里是
这是 SQL 语句:
{
$name = explode(' ', $key, 2); // Break String into Array.
if(empty($name[1])) {
$sql = "SELECT *
FROM users
WHERE users.user_firstname = '$name[0]'
OR users.user_lastname= '$name[0]'";
} else {
$sql = "SELECT *
FROM users
WHERE users.user_firstname = '$name[0]'
AND users.user_lastname= '$name[1]'";
}
include 'includes/userquery.php';
}
调用它的函数:
$query = mysqli_query($conn, $sql);
if(mysqli_num_rows($query) == 0){
echo '<div class="post">';
echo 'There is no results given the keyword, try to widen your search query.';
echo '</div>';
echo '<br>';
}
while($row = mysqli_fetch_assoc($query)){
include 'includes/post.php';
echo '<br>';
}
我尝试了一些将查询转换为准备好的方法,但我收到诸如 ?未识别占位符或函数接收 bool
如果在使用 $name 数组中的正确值开始查询之前首先加载 2 个变量,则可以简化整个过程。
然后对查询进行简单更改以使其参数化和可绑定,您就可以准备、绑定和执行查询
然后对获取过程进行一个小的更改就可以让你离开 运行
{
$name = explode(' ', $key, 2); // Break String into Array.
if(empty($name[1])) {
$n1 = $name[0];
$n2 = $name[0];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
OR users.user_lastname= ?";
} else {
$n1 = $name[0];
$n2 = $name[1];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
AND users.user_lastname= ?";
}
$stmt = $conn->prepare($sql);
$stmt->bind_param('ss', $n1,$n2);
$result = $stmt->execute();
$query = $stmt->get_result();
include 'includes/userquery.php';
}
函数(我假设这就是包含的内容)将变为
if($query->num_rows == 0){
echo '<div class="post">';
echo 'There is no results given the keyword, try to widen your search query.';
echo '</div>';
echo '<br>';
}
while($row = $query->fetch_assoc()){
include 'includes/post.php';
echo '<br>';
}
他们使用 include 的方式是 non-standard,通常 include 是在文件的顶部完成的,只有当被包含的文件 returns 在代码中间调用它的东西时,这种方式就像复制将代码粘贴到特定块,这确实有效,但它会导致混淆,就像你在 includes/userquery.php 中有变量 $sql 但它来自哪里?它没有在该文件中定义,甚至没有包含,现在当您编写代码时您知道,但以后您将无法记住。最好使用包含在文件顶部的函数,然后在您需要该功能的地方调用并将数据作为参数传递,这样一来就很清楚发生了什么。现在让我们看看您可以使用当前代码做什么:
{
$name = explode(' ', $key, 2); // Break String into Array.
if(empty($name[1])) {
$sql_param_types = 'ss';
$sql_params = [$name[0], $name[0]];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
OR users.user_lastname= ?";
} else {
$sql_param_types = 'ss';
$sql_params = [$name[0], $name[1]];
$sql = "SELECT *
FROM users
WHERE users.user_firstname = ?
AND users.user_lastname= ?";
}
include 'includes/userquery.php';
}
userquery.php:
$stmt = mysqli_prepare($conn, $sql);
$stmt->bind_param($sql_param_types, ...$sql_params);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows == 0){
echo '<div class="post">';
echo 'There is no results given the keyword, try to widen your search query.';
echo '</div>';
echo '<br>';
}
while($row = $result->fetch_assoc()){
include 'includes/post.php';
echo '<br>';
}