0

我正在尝试使用 postgres 在 PHP 中制作一些准备好的语句。

这有点难以解释,所以我将向您展示:

$stmt = "SELECT * FROM customer WHERE zip = '$1'";

if(isset($_POST["CITY"])){ 
   $stmt .= "AND city = '$2'";
}

if(isset($_POST["COUNTRY"])){ 
   $stmt .= "AND country = '$3'";
}

$result = pg_prepare("myconnection", "my query", $stmt);

$result1 = pg_execute("myconnection","my query", array("0000","someCity","someCountry"));

对不起,如果某些代码是错误的,但这是一个徒手的例子。我需要的是能够根据某些变量 isset/not-null 使准备好的语句动态化。当语句只需要 1 或者我只需要添加 $1 和 $3 而不是 $2 时,在数组中发布 3 个变量时,它似乎不起作用。我希望你明白。

我这个周末需要使用它,所以我希望有人知道!

先感谢您!

4

4 回答 4

1

在准备好的语句中,SQL 故意是静态的。一旦准备好语句,参数的数量就不能改变。

但是您的代码很容易根据语句提交正确数量的参数。您可以为参数计数器添加一个变量,以及一个动态 php 数组以传递给 pg_execute 而不是硬编码的文字。并且它们将在if (isset(...))分支内增加/填充。

于 2012-08-17T18:11:46.540 回答
1

拥有 3 个不同的语句(每种情况一个)并根据传递的参数数量执行适用的语句并没有错。例子:

编辑:我修改了代码以匹配所有情况:

  • 仅指定的 zip
  • 邮编+城市
  • 邮编+国家
  • 邮编+城市+国家

(即使有其他情况,你也会明白这个想法)

$stmt = "SELECT * FROM customer WHERE zip = '$1'";

if(isset($_POST["CITY"]) && isset($_POST["COUNTRY"])) { 
   $stmt3 = $stmt . " AND city = '$2'" . " AND country = '$3'";
} elseif(isset($_POST["CITY"])) { 
   $stmt1 = $stmt . " AND city = '$2'";
} elseif(isset($_POST["COUNTRY"])) {
   $stmt2 = $stmt . " AND country = '$2'";
}

if(isset($stmt3)) {
   $result = pg_prepare("myconnection", "my query", $stmt3);
   $result1 = pg_execute("myconnection","my query", array("0000","someCity","someCountry"));
} elseif(isset($stmt2)) {
   $result = pg_prepare("myconnection", "my query", $stmt2);
   $result1 = pg_execute("myconnection","my query", array("0000","someCountry"));
} elseif(isset($stmt1)) {
   $result = pg_prepare("myconnection", "my query", $stmt1);
   $result1 = pg_execute("myconnection","my query", array("0000","someCity"));
} else {
   $result = pg_prepare("myconnection", "my query", $stmt);
   $result1 = pg_execute("myconnection","my query", array("0000"));
}

为了简洁起见,我省略了(就像你一样)所有的错误检查。

于 2012-08-17T19:19:51.277 回答
0

尽管 Daniel 和 aymeric 都是正确的——两次测试没有意义,也没有使用数字。见下文:

$some_vars = array();
$some_vars[":zip"] = $_POST["ZIP"];
$stmt = "SELECT * FROM customer WHERE zip = :zip";

if(isset($_POST["CITY"])){ 
    $some_vars[":city"] = $_POST["CITY"]);
    $stmt .= " AND city = :city";
}

if(isset($_POST["COUNTRY"])){ 
    $some_vars[":country"] = $_POST["COUNTRY"]);
    $stmt .= " AND country = :country";
}

$result = pg_prepare("myconnection", "my query", $stmt);
$result1 = pg_execute("myconnection","my query", $some_vars);

不要忘记消毒等。

于 2013-05-30T16:03:04.517 回答
0

不要进行字符串连接。检查参数是否设置。如果没有将它们设置为空。使用单个查询字符串:

$zip = $_POST["zip"];
$city = $_POST["city"];
$country = $_POST["country"];

if (!isset($zip)) $zip = '';
if (!isset($city)) $city = '';
if (!isset($country)) $country = '';

$stmt = "
    select *
    from customer
    where
        (zip = '$1' or '$1' = '')
        and
        (city = '$2' or '$2' = '')
        and
        (country = '$3' or '$3' = '')
";

$result = pg_prepare("myconnection", "my query", $stmt);
$result1 = pg_execute(
        "myconnection",
        "my query",
        array($zip, $city, $country)
        );

仅当相应参数不是空字符串时,才会强制执行每个条件。

相同的逻辑可以使用空值而不是空那些包含应该选择的空字符串的列。

于 2013-05-30T19:26:35.387 回答