duanreng3439 2015-09-14 16:12
浏览 46
已采纳

PHP - 通过php函数传递pdo连接查询

So i'm trying to pass PDO Query by using php, like this(index.php):

include("dbconn.php");
mysqlConnect("'SELECT * FROM users WHERE name =' . $conn->quote($name))", "jeff");

while my dbconn file that contains the function is(dbconn.php):

function mysqlConnect($queryString, $name) {

    // DB Credentials
    $dbName = 'db';
    $dbUser = 'root';
    $dbPass = '';
    $dbHost = 'localhost';

try {
    $conn = new PDO("mysql:host=$dbHost;dbname=$dbName", $dbUser, $dbPass);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // Here goes the first parameter, then it uses the second parameter as a variable
    $data = $conn->query($queryString);
    // So the output should be this:
    // $data = $conn->query('SELECT * FROM myTable WHERE name = ' . $conn->quote($name));

    foreach($data as $row) {
        print_r($row); 
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
}

So in my function call the php actually executes the $conn->quote($name)) code, making my application not work.

How should i do this? is this allowed in php?

Edit:

or in other words: i call a function and give it 2 parameters, one of the parameters(even tho it's in double quotes) is executed by php which shouldn't happen. How can i fix this

  • 写回答

1条回答 默认 最新

  • doushang8512 2015-09-14 17:16
    关注

    The way you wrote, it will never work. You just have to learn to distinguish a string literal from executable code.

    Anyways, you don't need such a frankenstein at all. There is already a mechanism to put your variable in the query, called prepared statements. You just have to use them.

    There are other issues with your code too. I've described them all in the article I wrote recently, The only proper guide on PDO, I am sure you will find it interesting - all the issues like wrong error handling, utterly wrong way to connect, lack of prepared statements - all described there. Having all of them solved, here goes the proper function you need:

    function pdo($sql, $data=[]) 
    {
        global $pdo; // you can add a call to your favorite IoC here.
        $stmt = $pdo->prepare($sql);
        $stmt->execute($data);
        return $stmt;
    }
    

    used as

    include("dbconn.php");
    $user = pdo("SELECT * FROM users WHERE name = ?", ["jeff"])->fetch();
    var_dump($user);
    

    this is how PDO have to be used.

    By returning a statement, you'll be able to use all the power of PDO, getting data you need in one line, say a list

    $news = pdo("SELECT * FROM news ORDER BY id DESC")->fetchAll();
    var_dump($news); // already an array
    

    or just a single value

    $count = pdo("SELECT count(*) FROM posts WHERE author=?", [$id])->fetchColumn();
    var_dump($count); // already a number
    

    or simply by iterating results one by one

    $news = pdo("SELECT * FROM news ORDER BY id DESC")->fetchAll();
    foreach ($news as $row) {
        var_dump($row);
    }
    

    and so on.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 分析FP -Growth代码运行内存太大而无法运行的原因
  • ¥20 qtcreat 使用msvc编译器开发软件运行时字体锯齿感严重
  • ¥15 为何显示keyerror fruit
  • ¥15 关于#stm32#的问题:/* User can add his own implementation to report the HAL error return state */
  • ¥15 imageware粗糙度表面
  • ¥15 python使用pulp线性优化时报错
  • ¥15 为什么我的uibot导入py模块出错呀。py文件放在了uibot里对应的python文件夹了,卸了重安也不行
  • ¥15 开源或低价数据中台哪个最好
  • ¥15 arduino编程出现字符串疑似覆盖现象
  • ¥15 我的b站在没有碰到屏幕的情况下偶尔会自动跳出进度条,就像在屏幕上点了一下一样,但我并没有点。而且视频进度并没有变。这可能是什么原因造成的?