 |
21樓 巨大八爪鱼
2015-5-30 20:53
獲取單條記錄
$id = (int)@$_GET["i"];
if ($id < 1) {
$id = 1;
}
$sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots WHERE ItemID = {$id}";
$stmt = $dbh->query($sql); // use $stmt instead of $rs or $result
$row = $stmt->fetch();
echo "<b>" . $row[0] . "</b>: " . $row["ItemAddress"];
輸出:
7th Brigade Park, Chermside: Delaware St
|
|
|
22樓 巨大八爪鱼
2015-5-30 20:55
獲取多條記錄,並循環邊歷記錄集 <?php $sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots"; $stmt = $dbh->query($sql); // use $stmt instead of $rs or $result foreach ($stmt as $row) { echo "<p><b>" . $row[0] . "</b>: " . $row["ItemAddress"]."</p>"; } ?> |
|
|
23樓 巨大八爪鱼
2015-5-30 21:00
循環邊歷記錄集可以用多種方法: 方法一:foreach ($stmt as $row) { 方法二:while ($row = $stmt->fetch()) { 甚至還可以指定次數: for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) { echo "<p><b>" . $row[0] . "</b>: " . $row["ItemAddress"]."</p>"; } |
|
|
24樓 巨大八爪鱼
2015-5-30 21:01
while ($row = $stmt->fetch()) {
就相當於原來的:
while ($row = mysql_fetch_array($rs)) {
for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) {
相當於
for ($i = 0; $i < 4 && $row = mysql_fetch_array($rs); $i++) {
|
|
|
25樓 巨大八爪鱼
2015-5-30 21:03
foreach ($stmt as $row) { 只能遍歷整個記錄集,要想指定次數就得改用$row = $stmt->fetch();
|
|
|
26樓 巨大八爪鱼
2015-5-30 21:11
從外部獲取字符串參數並傳入SQL查詢中:
<?php
if (isset($_GET["name"])) {
$name = trim($_GET["name"]); // 去掉字符串兩邊的空格
$name = $dbh->quote($name); // 這個大致相當於原來的用於防止SQL隱碼攻擊的mysql_real_escape_string函數,但是這個函數兩邊自動加上了單引號
//echo $name;
} else {
$name = "Annerley Library Wifi";
}
$sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = {$name}"; //注意不能再加單引號了
$stmt = $dbh->query($sql);
$row = $stmt->fetch();
echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")";
?>
輸出(-27.3739664, 153.078323)
|
|
|
27樓 巨大八爪鱼
2015-5-30 21:15
回復:26樓
看PHP官方文檔下面的內容吧:
PDO::quote() places quotes around the input string (if
required) and escapes special characters within the input string, using a
quoting style appropriate to the underlying driver.
If you are using this function to build SQL statements, you are
strongly recommended to use
PDO::prepare() to prepare SQL statements with bound
parameters instead of using PDO::quote() to interpolate
user input into an SQL statement. Prepared statements with bound parameters
are not only more portable, more convenient, immune to SQL injection, but
are often much faster to execute than interpolated queries, as both the
server and client side can cache a compiled form of the query.
Not all PDO drivers implement this method (notably PDO_ODBC). Consider
using prepared statements instead.
因此26樓所屬的方法機不推薦使用,應該改用prepare+bind+execute方法。
|
|
|
28樓 巨大八爪鱼
2015-5-30 21:16
而且,不是所有數據庫都兼容$dbh->quote
|
|
|
29樓 巨大八爪鱼
2015-5-30 21:19
改進後的26樓代碼:
if (isset($_GET["name"])) {
$name = trim($_GET["name"]);
} else {
$name = "Annerley Library Wifi";
}
$sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = ?";
$stmt = $dbh->prepare($sql);
$stmt->execute(array($name));
$row = $stmt->fetch();
echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")";
|
|
|
30樓 巨大八爪鱼
2015-5-30 21:20
注意,那個?同樣不能再加單引號
|
