1 PDO连接数据库
<?php try{ $dsn = "mysql:host=localhost;dbname=test"; $username = "root"; $passwd = "root"; $pdo = new PDO($dsn,$username,$passwd); echo "数据库连接成功"; }catch(PDOException $e){ echo $e->getMessage(); }2 exec()
执行一条sql语句,并返回所受影响的行数
3 query() //查询
执行一条sql语句,并返回一个PDOstatement对象
4 prepare() //查询 通过execute()执行预处理语句
— 准备要执行的SQL语句并返回一个 PDOStatement 对象;
5 quote()
— 为SQL语句中的字符串添加引号。
6 lastInsertId()
— 返回最后插入行的ID或序列值
7 setAttribute()
— 设置属性
8 getAttribute ()
— 取回一个数据库连接的属性
9 print_r可以输出stirng、int、float、array、object等,输出array时会用结构表示,print_r输出成功时返回true;
10 setFetchMode(PDO::PETCH_OBJ) 设置fetch()返回的类型
setFetchMode(PDO::FETCH_OBJ)
11 PDO::FETCH_ASSOC 返回的是查询结果的关联,默认是PDO::FETCH_BOTH返回查询结果的关联和索引;PDO::FETCH_OBJ返回的是一个对象
fetch(PDD::FECTCH_OBJ)
12 SQL注入
' or 1=1 #
13 防止SQL注入
1)---------
$username = $_POST["username"]; $password = $_POST["password"]; try{ $pdo = new PDO("mysql:host=localhost;dbname=test",'root','root'); $username = $pdo->quote($username); $sql = "select * from user where username = {$username} and password = '{$password}'"; $stmt = $pdo->query($sql); echo $stmt->rowCount(); }catch (PDOException $e){ echo $e->getMessage(); }
2)------占位符方式一
$sql = "select * from user where username = :username and password = :password"; $stmt = $pdo->prepare($sql); $stmt->execute(array(":username"=>$username,":password"=>$password)); echo $stmt->rowCount();
3)------占位符方式2(推荐)
//占位符方式2 $sql = "select * from user where username = ? and password = ?"; $stmt = $pdo->prepare($sql); $stmt->execute(array($username,$password)); echo $stmt->rowCount();