急问如何使用参数形式把值赋给sql执行语句? pear db类可以访问microsoft access的吗?怎么写呢 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 可以通过函数实现请注意: :a = $a; 这样的格式在php中是非法的,必须变通function prepare(&$sql) { $param = array_slice(func_get_args(), 1); foreach($param as $v) { $sql = preg_replace("/:\w+/", $v, $sql, 1); } return $sql;}sql="insert into tbl(a,b,c) values (:a, :b, :c)";prepare($sql, $a, $b, $c); 这样得到的结果依然是组装的sql语句吧?只不过变通了一个方式去做,而没有真正做到prapareStatement的效果?我要这样做目的是为了避免参数值里面包含了特殊字符,sql注入,或者超大文本(长度超出单条sql可以接受的范围)。 那各位大虾有没有MYSQLI或者PDO的例子呢? 你不看手册的吗?<?php$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');/* check connection */if (mysqli_connect_errno()) { printf("Connect failed: %s\n", mysqli_connect_error()); exit();}$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");$stmt->bind_param('sssd', $code, $language, $official, $percent);$code = 'DEU';$language = 'Bavarian';$official = "F";$percent = 11.2;/* execute prepared statement */$stmt->execute();printf("%d Row inserted.\n", $stmt->affected_rows);/* close statement and connection */$stmt->close();/* Clean up table CountryLanguage */$mysqli->query("DELETE FROM CountryLanguage WHERE Language='Bavarian'");printf("%d Row deleted.\n", $mysqli->affected_rows);/* close connection */$mysqli->close();?> if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO t_sf_newsdate (NEWS_TIME, NEWS_TYPE_ID, NEWS_TITLE, NEWS_EDITER, NEWS_CONTANT) VALUES (%s, %s, %s, %s, %s)", GetSQLValueString($_POST['news_time'], "date"), GetSQLValueString($_POST['news_type'], "int"), GetSQLValueString($_POST['news_title'], "text"), GetSQLValueString($_POST['news_editor'], "text"), GetSQLValueString($_POST['Editorshaof'], "text")); mysql_select_db($database_shuifuconn, $shuifuconn); $Result1 = mysql_query($insertSQL, $shuifuconn) or die('xxx');function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue;} 关于pear MDB2连接数据库的问题 ftp 文件上传 请问PHPEclipse1.2 + Eclipse3.3 + dbg-2.15.5 怎么实现调试 请教一个数据库乱码的问题! 装不上iconv模块,郁闷 简单数组问题 mysql这么慢???select * from list ORDER BY id DESC LIMIT 49990,10 竟然需要7秒??!! 可以用PHP程序实现postgre数据库备份与恢复吗? php基础问题,请指点 php 网页跳转不过去怎么回事 求一段php穷举的程序 青岛的php程序员过来看一下
$param = array_slice(func_get_args(), 1);
foreach($param as $v) {
$sql = preg_replace("/:\w+/", $v, $sql, 1);
}
return $sql;
}sql="insert into tbl(a,b,c) values (:a, :b, :c)";
prepare($sql, $a, $b, $c);
我要这样做目的是为了避免参数值里面包含了特殊字符,sql注入,或者超大文本(长度超出单条sql可以接受的范围)。
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;/* execute prepared statement */
$stmt->execute();printf("%d Row inserted.\n", $stmt->affected_rows);/* close statement and connection */
$stmt->close();/* Clean up table CountryLanguage */
$mysqli->query("DELETE FROM CountryLanguage WHERE Language='Bavarian'");
printf("%d Row deleted.\n", $mysqli->affected_rows);/* close connection */
$mysqli->close();
?>
$insertSQL = sprintf("INSERT INTO t_sf_newsdate (NEWS_TIME, NEWS_TYPE_ID, NEWS_TITLE, NEWS_EDITER, NEWS_CONTANT) VALUES (%s, %s, %s, %s, %s)",
GetSQLValueString($_POST['news_time'], "date"),
GetSQLValueString($_POST['news_type'], "int"),
GetSQLValueString($_POST['news_title'], "text"),
GetSQLValueString($_POST['news_editor'], "text"),
GetSQLValueString($_POST['Editorshaof'], "text")); mysql_select_db($database_shuifuconn, $shuifuconn);
$Result1 = mysql_query($insertSQL, $shuifuconn) or die('xxx');function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}