如何将以下 INSERT 转换为准备好的语句以确保其安全?
我正在努力理清准备好的陈述。
基本上,我会像平常一样进行插入:
$sql = '
INSERT INTO customers
(customer_first, customer_last, customer_address, customer_email)
VALUES
(' . mysql_real_escape_string($_POST['customer_first']) . ',
' . mysql_real_escape_string($_POST['customer_last']) . ',
' . mysql_real_escape_string($_POST['customer_address']) . ',
' . mysql_real_escape_string($_POST['customer_email']) . ' )
';
mysql_query($sql);
据我所知,但是有一种更安全的方法可以使用准备好的语句来执行此操作。
到目前为止,我认为这样做是这样的:
$stmt = $dbh->prepare("INSERT INTO customers (customer_first, customer_last, customer_address, customer_email) VALUES (:customer_first, :customer_last, :customer_address, :customer_email)");
$stmt->bindParam(':customer_first', $_POST['customer_first']);
$stmt->bindParam(':customer_last', $_POST['customer_last']);
$stmt->bindParam(':customer_address', $_POST['customer_address']);
$stmt->bindParam(':customer_email', $_POST['customer_email']);
$stmt->execute();
这是正确的吗?或者有更好的方法来实现我想要实现的目标吗?如果我尝试上述操作,我会收到错误“调用非对象上的成员函数prepare()” - 这是什么意思?
我正在使用示例@ http://php.net/manual/en /pdo.prepared-statements.php。它指的是 $dbh - 它从哪里得到的? $dbh 是否应该在其他地方引用 - 我假设它与数据库连接有关?
除了这些问题之外,我还可以使用像上面这样的准备好的语句来使用 mysql_insert_id() 或 mysql_error() 之类的东西吗?
I'm trying to get my head around prepared statements.
Basically, I would do a insert like so normally:
$sql = '
INSERT INTO customers
(customer_first, customer_last, customer_address, customer_email)
VALUES
(' . mysql_real_escape_string($_POST['customer_first']) . ',
' . mysql_real_escape_string($_POST['customer_last']) . ',
' . mysql_real_escape_string($_POST['customer_address']) . ',
' . mysql_real_escape_string($_POST['customer_email']) . ' )
';
mysql_query($sql);
From what I've been told however there is a more secure way to do this using Prepared Statements.
So far I think it is done like so:
$stmt = $dbh->prepare("INSERT INTO customers (customer_first, customer_last, customer_address, customer_email) VALUES (:customer_first, :customer_last, :customer_address, :customer_email)");
$stmt->bindParam(':customer_first', $_POST['customer_first']);
$stmt->bindParam(':customer_last', $_POST['customer_last']);
$stmt->bindParam(':customer_address', $_POST['customer_address']);
$stmt->bindParam(':customer_email', $_POST['customer_email']);
$stmt->execute();
Is this correct? Or is there a better way to do what I'm trying to achieve? If I try the above I get an error "Call to a member function prepare() on a non-object" - what does that mean?
I'm using the examples @ http://php.net/manual/en/pdo.prepared-statements.php. It refers to a $dbh - where does it get that from? Is $dbh supposed to be referenced elsewhere - I'm assuming it is something to do with the database connection?
In addition to those questions, can I still use things like mysql_insert_id() or mysql_error() using prepared statements like above?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您是 OOP 新手,您可以从 mysqli 开始,以便立即熟悉功能和语法以及对函数式编程的支持,但值得回顾一下 PDO 类 如果您准备好应对 OOP。
值得回顾一下以帮助决定从哪里开始: mysqli 或 PDO - 什么有什么优点和缺点?
$dbh = 数据库句柄(如 PDO > 连接和连接管理< 中定义) /a> 文档)
PDO::lastInsertId, PDO::errorInfo
If you are new to OOP, you could start with mysqli for more immediately familiar functionality and syntax and support for functional programming, but it's worth reviewing the PDO class if you're ready to tackle OOP.
Worth reviewing to help decide where to start: mysqli or PDO - what are the pros and cons?
$dbh = database handle (as defined in the PDO > Connections and Connection Management doc)
PDO::lastInsertId, PDO::errorInfo
错误消息表明您的问题出在
$dbh对象上——它是如何初始化的?The error message indicates your problem is with the
$dbhobject -- how is it initialized?