<?php
$mysqli=new mysqli("localhost","root","123","books");
if($stmt=$mysqli->prepare("SELECT id FROM computers WHERE id LIKE ?"))
{
$stmt->bind_param("s",$code); //这里只是匿名绑定啊
$code='29';
$stmt->execute();
$stmt->bind_result($col1);
while($stmt->fetch()){
printf("%s ",$col1);
}
$stmt->close();
$mysqli->close();
}
?>
$mysqli=new mysqli("localhost","root","123","books");
if($stmt=$mysqli->prepare("SELECT id FROM computers WHERE id LIKE ?"))
{
$stmt->bind_param("s",$code); //这里只是匿名绑定啊
$code='29';
$stmt->execute();
$stmt->bind_result($col1);
while($stmt->fetch()){
printf("%s ",$col1);
}
$stmt->close();
$mysqli->close();
}
?>
补充另外问题$sql="set @v=123;select * from my_table where col=@v;"
mysqli_multi_query($handle, $sql);这样的查询是否安全,有没有注入危险?
mysqli 只能匿名,按顺序绑定
pdo 就可以按名称绑定了
你使用 mysqli 就不如使用 pdo 了2、
不存在注入风险
$sql="set @v=123;select * from my_table where col=@v;"
与
$sql="select * from my_table where col=123;"
一样。
既然没有外部数据传入,当然也就没有注入风险了
$sql="set @v=$v;select * from my_table where col=@v;"或许我写成这样就看的更明白了