duanreng3439 2015-09-14 16:12
浏览 46
已采纳

PHP - 通过php函数传递pdo连接查询

So i'm trying to pass PDO Query by using php, like this(index.php):

include("dbconn.php");
mysqlConnect("'SELECT * FROM users WHERE name =' . $conn->quote($name))", "jeff");

while my dbconn file that contains the function is(dbconn.php):

function mysqlConnect($queryString, $name) {

    // DB Credentials
    $dbName = 'db';
    $dbUser = 'root';
    $dbPass = '';
    $dbHost = 'localhost';

try {
    $conn = new PDO("mysql:host=$dbHost;dbname=$dbName", $dbUser, $dbPass);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // Here goes the first parameter, then it uses the second parameter as a variable
    $data = $conn->query($queryString);
    // So the output should be this:
    // $data = $conn->query('SELECT * FROM myTable WHERE name = ' . $conn->quote($name));

    foreach($data as $row) {
        print_r($row); 
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
}

So in my function call the php actually executes the $conn->quote($name)) code, making my application not work.

How should i do this? is this allowed in php?

Edit:

or in other words: i call a function and give it 2 parameters, one of the parameters(even tho it's in double quotes) is executed by php which shouldn't happen. How can i fix this

  • 写回答

1条回答 默认 最新

  • doushang8512 2015-09-14 17:16
    关注

    The way you wrote, it will never work. You just have to learn to distinguish a string literal from executable code.

    Anyways, you don't need such a frankenstein at all. There is already a mechanism to put your variable in the query, called prepared statements. You just have to use them.

    There are other issues with your code too. I've described them all in the article I wrote recently, The only proper guide on PDO, I am sure you will find it interesting - all the issues like wrong error handling, utterly wrong way to connect, lack of prepared statements - all described there. Having all of them solved, here goes the proper function you need:

    function pdo($sql, $data=[]) 
    {
        global $pdo; // you can add a call to your favorite IoC here.
        $stmt = $pdo->prepare($sql);
        $stmt->execute($data);
        return $stmt;
    }
    

    used as

    include("dbconn.php");
    $user = pdo("SELECT * FROM users WHERE name = ?", ["jeff"])->fetch();
    var_dump($user);
    

    this is how PDO have to be used.

    By returning a statement, you'll be able to use all the power of PDO, getting data you need in one line, say a list

    $news = pdo("SELECT * FROM news ORDER BY id DESC")->fetchAll();
    var_dump($news); // already an array
    

    or just a single value

    $count = pdo("SELECT count(*) FROM posts WHERE author=?", [$id])->fetchColumn();
    var_dump($count); // already a number
    

    or simply by iterating results one by one

    $news = pdo("SELECT * FROM news ORDER BY id DESC")->fetchAll();
    foreach ($news as $row) {
        var_dump($row);
    }
    

    and so on.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 Delphi5环境下图片文件怎么转换成Base64编码?
  • ¥15 久了用Python,今天打开PyCharm就这样了
  • ¥15 将GPDO_0引|脚设首成PWM1的输出引脚 实验编程该怎么写
  • ¥50 阿里云服务器 CentOS7.9 搭建 openvpn 服务
  • ¥100 开源软件弱点处理规范
  • ¥15 excel如何根据文件名自动搜索并批量导入文件?
  • ¥15 VScode 用户代码片段图标
  • ¥15 streamingtool
  • ¥15 MATLAB图像问题
  • ¥20 树莓派5做人脸情感识别与反馈系统