我只是在阅读完后编辑我的搜索脚本SQL注入 https://en.wikipedia.org/wiki/SQL_injection攻击。我正在尝试使用以下命令从我的脚本中获得相同的功能PDO https://en.wikipedia.org/wiki/PHP#Development_and_community而不是常规的 MySQL 连接。所以我一直在阅读有关 PDO 的其他帖子,但我不确定。这两个脚本会提供相同的功能吗?
使用 PDO:
$pdo = new PDO('mysql:host=$host; dbname=$database;', $user, $pass);
$stmt = $pdo->prepare('SELECT * FROM auction WHERE name = :name');
$stmt->bindParam(':name', $_GET['searchdivebay']);
$stmt->execute(array(':name' => $name);
使用常规 MySQL:
$dbhost = @mysql_connect($host, $user, $pass) or die('Unable to connect to server');
@mysql_select_db('divebay') or die('Unable to select database');
$search = $_GET['searchdivebay'];
$query = trim($search);
$sql = "SELECT * FROM auction WHERE name LIKE '%" . $query . "%'";
if(!isset($query)){
echo 'Your search was invalid';
exit;
} //line 18
$result = mysql_query($trim);
$numrows = mysql_num_rows($result);
mysql_close($dbhost);
我继续使用常规示例
while($i < $numrows){
$row = mysql_fetch_array($result);
从数据库创建匹配结果的数组。如何使用 PDO 执行此操作?
看看PDOStatement.fetchAll http://www.php.net/manual/en/pdostatement.fetchall.php方法。你也可以使用fetch http://www.php.net/manual/en/pdostatement.fetch.php在迭代器模式中。
代码示例fetchAll
,来自 PHP 文档:
<?php
$sth = $dbh->prepare("SELECT name, colour FROM fruit");
$sth->execute();
/* Fetch all of the remaining rows in the result set */
print("Fetch all of the remaining rows in the result set:\n");
$result = $sth->fetchAll(\PDO::FETCH_ASSOC);
print_r($result);
Results:
Array
(
[0] => Array
(
[NAME] => pear
[COLOUR] => green
)
[1] => Array
(
[NAME] => watermelon
[COLOUR] => pink
)
)
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)