php mysqli参数化查询,PHP MySQLi参数化查询不起作用

我正在将当前未受保护的查询更新为参数化查询,以防止受到SQL注入.

我花了几个小时试图对这个问题进行排序,但是找不到问题,非常感谢任何帮助.

在(echo $row [‘storeID’];)之前工作

$storeName = mysqli_real_escape_string($conn,$_GET['store']);

$query = "SELECT * FROM stores WHERE storeName = '$storeName'";

$results = mysqli_query($conn, $query);

$row = mysqli_fetch_assoc($results);

$storeName = $_GET['store'];

$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");

mysqli_stmt_bind_param($stmt, "s", $storeName);

mysqli_stmt_execute($stmt);

$row = mysqli_stmt_fetch($stmt);

该回显应该起作用,但是使用语句却不起作用

echo $row['storeID'];

解决方法:

如果查看mysqli_stmt_fetch的文档,则会看到以下说明:

Fetch results from a prepared statement into the bound variables

$storeName = $_GET['store'];

$stmt = mysqli_prepare($conn, "SELECT * FROM stores WHERE storeName = ?");

mysqli_stmt_bind_param($stmt, "s", $storeName);

mysqli_stmt_execute($stmt);

mysqli_stmt_bind_result($stmt, $col1, $col2, $col3,...);

while (mysqli_stmt_fetch($stmt)) {

// do stuff with $col1, $col2, etc.

}

现在,在循环的每次迭代中,为绑定的结果变量提供结果集中的值.

但是,我强烈建议您改用PDO,这要冗长得多:

$storeName = $_GET['store'];

$stmt = $db->prepare("SELECT * FROM stores WHERE storeName = ?");

$stmt->execute([$storeName]);

$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

// now you have a simple array with all your results

foreach ($rows as $row) {

// do stuff with $row

}

标签:mysqli,mysql,php

来源: https://codeday.me/bug/20191108/2007268.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值