Shulou(Shulou.com)06/03 Report--

How to achieve php pdo parameterized query, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

In PHP, you can do PDO parameterized queries through the prepare method, which returns a PDOStatement object, using syntax such as "prepare ('SELECT login_oid FROM logined WHERE user_id=...").

This article operating environment: Windows7 system, PHP7.1, Dell G3 computer.

How to implement php pdo parameterized query?

PDO parameterized query prepare () php prevents SQL injection

The parameterized query in PDO mainly uses the prepare () method, and then this method returns a PDOStatement object, that is, the SQL declaration (I don't know how to translate it). In this case, the SQL statement is compiled but not executed. After calling the method in PDOStatement, the SQL statement is executed, as shown in the following example:

$sm = $db- > prepare ('SELECT login_oid FROM logined WHERE user_id=:user_id;'); $sm- > bindValue (': user_id', $user_id, PDO::PARAM_INT); $sm- > execute ()

Before the execution of execute (), you can call the bindValue () or bindParam () method to replace the parameters you specified in the previously prepared SQL statement. There are two ways to specify parameters in the SQL statement:': name' and'?'. The above code uses the former and the latter:

$sm = $db- > prepare ('SELECT * FROM fruit WHERE calories

BindValue (1, $calories, PDO::PARAM_INT); $sm- > execute ()

BindValue () has three parameters, the first one specifies which parameter in the SQL statement to replace, the second specifies the replaced value, and the third specifies the type of the value, which corresponds to the following:

PDO::PARAM_BOOL

Boolean type

PDO::PARAM_NULL

NULL Typ

PDO::PARAM_INT

Integer type

PDO::PARAM_STR

String types such as CHAR, VARCHAR, string

PDO::PARAM_LOB

Resource class large objects, such as files, etc.

PDO::PARAM_STMT

I have no idea

PDO::PARAM_INPUT_OUTPUT

This seems to be an extension type.

It is surprising that there is no real number type in it.

Let's talk about the execute () method, which itself can replace parameters, but it changes all value types to string types, as follows

$sm = $db- > prepare ('SELECT * FROM fruit WHERE calories

Execute (array ($calories))

The replacement of multiple parameters is as follows

$sm = $db- > prepare ('SELECT * FROM fruit WHERE calories

Execute (array ($calories, $user_id))

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.