0

所以每个人都告诉我使用准备好的陈述,但我不知道现在该怎么做。

 $stmt = mysqli_prepare($con, "SELECT * FROM search WHERE `name2` LIKE '?' AND `approved`='approved'");
mysqli_stmt_bind_param($stmt, 's', $name);

/* execute prepared statement */
mysqli_stmt_execute($stmt);

那是我的代码,我如何从中创建一个数组

while ($row=mysqli_fetch_array($result))

从没有准备

4

1 回答 1

0

很高兴看到您决定使用 PDO!

//using MySQL
//refer here for reference http://www.php.net/manual/en/ref.pdo-mysql.php
$pdo = new PDO('mysql:host=xxx;port=xxx;dbname=xxx', $username, $password)

//write query
$sql = "SELECT * FROM search WHERE `name2` LIKE '?' AND `approved`='approved'";

//tell query what to replace ? marks with
$fill_array = array($name); // one item in array for the one ? in $sql above

//send query to DB for preparation
$prepare = $pdo->prepare($sql);

//send variables to DB, DB will bind them to the proper place and execute query
$prepare->execute($fill_array);

//get your array. I personally recommend PDO::FETCH_ASSOC but you are using ARRAY
$result = $prepare->fetchAll(PDO::FETCH_ARRAY);

echo '<pre>'.print_r($result, true).'</pre>';

瞧!

请注意,您必须编写代码来转义 $name 并检查诸如 % 符号和下划线之类的内容,因为如果有人按字面输入 %,则 LIKE 语句将返回所有已批准='已批准'的记录

于 2013-08-06T14:38:38.040 回答