关于php:没有bind_param的mysqli预处理语句

mysqli prepared statement without bind_param

我有一个fname本代码选择从最新的记录在用户表

1
2
3
4
5
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$sdt=$mysqli->('SELECT fname FROM user ORDER BY id DESC LIMIT 1');
$sdt->bind_result($code);
$sdt->fetch();
echo $code ;

我使用准备好的语句和参数绑定_ earlier.but现在在上面的代码,我想提出的第一时间使用语句没有参数绑定_和我不知道如何选择一台没有使用绑定_ param.please告诉我如何做?


我不敢相信有这么多的尝试都失败了

1
2
3
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$res = $mysqli->query('SELECT fname FROM user ORDER BY id DESC LIMIT 1');
echo current($res->fetch_row());

勾选的答案对SQL注入开放。使用准备好的语句和不正确地准备数据有什么意义?您不应该只在查询行中放置一个字符串。准备好的声明的要点是它是准备好的。这里有一个例子

1
2
3
4
5
$query ="SELECT `Customer_ID`,`CompanyName` FROM `customers` WHERE `Customer_ID`=?";
$stmt = $db->prepare($query);
$stmt->bind_param('i',$_POST['ID']);
$stmt->execute();
$stmt->bind_result($id,$CompanyName);

在拉菲的密码里,你应该这样做

1
2
3
4
5
6
7
8
$bla = $_POST['something'];
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("SELECT `fname` FROM `user` WHERE `bla` = ? ORDER BY `id` DESC LIMIT 1");
$stmt->bind_param('s',$_POST['something']);
$stmt->execute();
$stmt->bind_result($code);
$stmt->fetch();
echo $code;

请注意,我不知道您的日志数据是字符串还是整数。如果它是一个整数,你可以

1
$stmt->bind_param('i',$_POST['something']);

相反。我知道你说的没有绑定参数,但是请相信我,如果你从一个页面接收输入,而没有首先正确地准备它,那就太糟糕了。


实际上,如果我更正了你的脚本,它会是这样的:

1
2
3
4
5
6
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$sdt = $mysqli->prepare('SELECT fname FROM user ORDER BY id DESC LIMIT 1');
$sdt->execute();
$sdt->bind_result($code);
$sdt->fetch();
echo $code;

因此,如果没有bind_-param,这通常对我有用:

1
2
3
4
5
6
7
$bla = $_POST['something'];
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("SELECT fname FROM user WHERE bla =" . $bla ." ORDER BY id DESC LIMIT 1");
$stmt->execute();
$stmt->bind_result($code);
$stmt->fetch();
echo $code;

这可能会有所帮助。