There are currently 67 posts.
 |
獲取單條記錄
$id = (int)@$_GET["i"]; if ($id < 1) { $id = 1; } $sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots WHERE ItemID = {$id}"; $stmt = $dbh->query($sql); // use $stmt instead of $rs or $result $row = $stmt->fetch(); echo "<b>" . $row[0] . "</b>: " . $row["ItemAddress"]; 輸出: 7th Brigade Park, Chermside: Delaware St |
|
獲取多條記錄,並循環邊歷記錄集
<?php $sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots"; $stmt = $dbh->query($sql); // use $stmt instead of $rs or $result foreach ($stmt as $row) { echo "<p><b>" . $row[0] . "</b>: " . $row["ItemAddress"]."</p>"; } ?> |
|
循環邊歷記錄集可以用多種方法:
方法一:foreach ($stmt as $row) { 方法二:while ($row = $stmt->fetch()) { 甚至還可以指定次數: for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) { echo "<p><b>" . $row[0] . "</b>: " . $row["ItemAddress"]."</p>"; } |
|
while ($row = $stmt->fetch()) {
就相當於原來的: while ($row = mysql_fetch_array($rs)) { for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) { 相當於 for ($i = 0; $i < 4 && $row = mysql_fetch_array($rs); $i++) { |
|
foreach ($stmt as $row) { 只能遍歷整個記錄集,要想指定次數就得改用$row = $stmt->fetch();
|
|
從外部獲取字符串參數並傳入SQL查詢中:
<?php if (isset($_GET["name"])) { $name = trim($_GET["name"]); // 去掉字符串兩邊的空格 $name = $dbh->quote($name); // 這個大致相當於原來的用於防止SQL隱碼攻擊的mysql_real_escape_string函數,但是這個函數兩邊自動加上了單引號 //echo $name; } else { $name = "Annerley Library Wifi"; } $sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = {$name}"; //注意不能再加單引號了 $stmt = $dbh->query($sql); $row = $stmt->fetch(); echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")"; ?> 輸出(-27.3739664, 153.078323) |
|
回復:26樓
看PHP官方文檔下面的內容吧: PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver. If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query. Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead. 因此26樓所屬的方法機不推薦使用,應該改用prepare+bind+execute方法。 |
|
而且,不是所有數據庫都兼容$dbh->quote
|
|
改進後的26樓代碼:
if (isset($_GET["name"])) { $name = trim($_GET["name"]); } else { $name = "Annerley Library Wifi"; } $sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = ?"; $stmt = $dbh->prepare($sql); $stmt->execute(array($name)); $row = $stmt->fetch(); echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")"; |
|
注意,那個?同樣不能再加單引號
|
