带有循环条件的 PDO 参数化 SELECT 语句

发布于 2024-11-03 05:28:49 字数 1371 浏览 1 评论 0原文

我正在将我正在开发的网络应用程序切换到 PDO（从可怕且不安全的 mysql_query），并且在如何使现有查询适应新格式方面遇到一些困难。查询查找特定文件类型的媒体项：

GET 的格式如下： jpg,png,gif

（下面的代码是转义的，但在本示例中已被简化）

$query   = "SELECT * FROM `media` WHERE `active` = '1' AND `thumb` IS NULL ";
if($_GET['extensions']){
    $extensions = array_filter(explode(',',str_replace(' ','',strtolower($_GET['extensions']))));
    foreach($extensions as $extension){
        $extension_sql[] = "`type` = '$extension' ";
    }
    if(count($extension_sql) > 0){
        $query .= 'AND (' . implode('OR ', $extension_sql) . ')';
    }
}
$query .= "ORDER BY `created` DESC ";
$result = mysql_query($query);
while($media = mysql_fetch_array($result)){     
    // Do stuff
}

也许我正在考虑这个以完全向后的方式，它应该使用 IN() 函数，但无论如何，我需要将其转换为参数化的 PDO 语句，例如：

$sth = $dbh->prepare("SELECT * FROM `media` WHERE `active` = '1' AND `thumb` IS NULL AND `type` IN(:set) ORDER BY `created` DESC ");
$types = implode(',', array_filter(explode(',',str_replace(' ','',strtolower($_GET['extensions']))));
$sth->bindParam(':set', $types);
$sth->execute();
while($datatype_option_row = $sth->fetch()){
    // Do stuff
}

显然这行不通......但我正在努力提高效率和安全性没什么成功。我也许能够循环文件类型来创建 SQL，然后再次循环绑定......但想看看这里是否有人对不同的方法有明智的建议。

TL;DR：试图找到参数化 SQL 条件动态列表的最佳方法。

提前致谢！

原文

I am switching a web-app I am working on to PDO (from the horrible and unsafe mysql_query) and am having some difficulty with how to adapt an existing query to the new format. The query finds media items of a certain file types:

The GET is formatted like: jpg,png,gif

(The code below was escaping things but has been simplified for this example)

$query   = "SELECT * FROM `media` WHERE `active` = '1' AND `thumb` IS NULL ";
if($_GET['extensions']){
    $extensions = array_filter(explode(',',str_replace(' ','',strtolower($_GET['extensions']))));
    foreach($extensions as $extension){
        $extension_sql[] = "`type` = '$extension' ";
    }
    if(count($extension_sql) > 0){
        $query .= 'AND (' . implode('OR ', $extension_sql) . ')';
    }
}
$query .= "ORDER BY `created` DESC ";
$result = mysql_query($query);
while($media = mysql_fetch_array($result)){     
    // Do stuff
}

Perhaps I was going about this in a totally backwards way and it should be using an IN() function but regardless, I need to convert this into a parameterized PDO statement such as:

$sth = $dbh->prepare("SELECT * FROM `media` WHERE `active` = '1' AND `thumb` IS NULL AND `type` IN(:set) ORDER BY `created` DESC ");
$types = implode(',', array_filter(explode(',',str_replace(' ','',strtolower($_GET['extensions']))));
$sth->bindParam(':set', $types);
$sth->execute();
while($datatype_option_row = $sth->fetch()){
    // Do stuff
}

Clearly this won't work... but I am trying to be efficient and secure with little success. I might be able to loop over files-types to create the SQL and then loop again over the binds... but wanted to see if anyone here had sage advice for a different approach.

TL;DR: Trying to find the best way to parameterize a dynamic lists of SQL conditionals.

Thanks in advance!

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

指尖上得阳光 2024-11-10 05:28:49

弄清楚了，关键是 FIND_IN_SET 函数，因为它是一个简短的类型列表：

$type_sql = ($_GET['extensions'])? "AND FIND_IN_SET(`type`, :type)" : "";
$sth = $dbh->prepare("SELECT * FROM `media` WHERE `active` = '1' AND `thumb` IS NULL $type_sql ORDER BY `created` DESC ");
$sth->bindParam(':type', $_GET['extensions']);
$sth->execute();
while($media = $sth->fetch()){
    // Do stuff
}

Figured it out, the key was the FIND_IN_SET function since it's a short list of types:

$type_sql = ($_GET['extensions'])? "AND FIND_IN_SET(`type`, :type)" : "";
$sth = $dbh->prepare("SELECT * FROM `media` WHERE `active` = '1' AND `thumb` IS NULL $type_sql ORDER BY `created` DESC ");
$sth->bindParam(':type', $_GET['extensions']);
$sth->execute();
while($media = $sth->fetch()){
    // Do stuff
}

回复收藏 0 原文

~没有更多了~