按照我的查询的正确编码以使用准备好的语句,我有这个查询:
$sql = "SELECT *
FROM photos
WHERE g_id = ?
LIMIT $curPage,".$totalPix;
$result = $conn->query($sql) or die(mysqli_error());
$row = $result->fetch_assoc();
这里的问题是,我应该使用准备好的语句占位符吗?如果是$curPage
,$totalPix
我会这样做吗:
$sql = "SELECT *
FROM photos
WHERE g_id = ?
LIMIT ?,".?;
$gid = $i; $lm = $v1; $mt = $v2
$stmt = $conn->prepare($randPic);
$stmt->bind_param('iii', $gid, $lm, $mt);
$stmt->bind_result($p_fname);
$stmt->execute();
$stmt->store_result();
$stmt->fetch();
...或者是变量$curPage
而$totalPix
不是让查询对 SQL 注入开放?提前谢谢了!