今天我來系統地學習一下PDO_PHP吧

21楼巨大八爪鱼 2015-5-30 20:53

獲取單條記錄

$id = (int)@$_GET["i"];
if ($id < 1) {
$id = 1;
}
$sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots WHERE ItemID = {$id}";
$stmt = $dbh->query($sql); // use $stmt instead of $rs or $result
$row = $stmt->fetch();
echo "" . $row[0] . ": " . $row["ItemAddress"];

輸出： 7th Brigade Park, Chermside: Delaware St

22楼巨大八爪鱼 2015-5-30 20:55

獲取多條記錄，並循環邊歷記錄集
<?php
$sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots";
$stmt = $dbh->query($sql); // use $stmt instead of $rs or $result
foreach ($stmt as $row) {
echo "" . $row[0] . ": " . $row["ItemAddress"]."";
}
?>

23楼巨大八爪鱼 2015-5-30 21:00

循環邊歷記錄集可以用多種方法：
方法一：foreach ($stmt as $row) {
方法二：while ($row = $stmt->fetch()) {

甚至還可以指定次數：
for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) {
echo "" . $row[0] . ": " . $row["ItemAddress"]."";
}

24楼巨大八爪鱼 2015-5-30 21:01

while ($row = $stmt->fetch()) {
就相當於原來的：
while ($row = mysql_fetch_array($rs)) {

for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) {
相當於
for ($i = 0; $i < 4 && $row = mysql_fetch_array($rs); $i++) {

25楼巨大八爪鱼 2015-5-30 21:03

foreach ($stmt as $row) { 只能遍歷整個記錄集，要想指定次數就得改用$row = $stmt->fetch();

26楼巨大八爪鱼 2015-5-30 21:11

從外部獲取字符串參數並傳入SQL查詢中：
<?php
if (isset($_GET["name"])) {
 $name = trim($_GET["name"]); // 去掉字符串兩邊的空格
 $name = $dbh->quote($name); // 這個大致相當於原來的用於防止SQL隱碼攻擊的mysql_real_escape_string函數，但是這個函數兩邊自動加上了單引號
 //echo $name;
} else {
 $name = "Annerley Library Wifi";
}
$sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = {$name}"; //注意不能再加單引號了
$stmt = $dbh->query($sql);
$row = $stmt->fetch();
echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")";
?>

輸出(-27.3739664, 153.078323)

27楼巨大八爪鱼 2015-5-30 21:15

回復：26樓
看PHP官方文檔下面的內容吧：
PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver.
If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query.
Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead.
因此26樓所屬的方法機不推薦使用，應該改用prepare+bind+execute方法。

28楼巨大八爪鱼 2015-5-30 21:16

而且，不是所有數據庫都兼容$dbh->quote

29楼巨大八爪鱼 2015-5-30 21:19

改進後的26樓代碼：
if (isset($_GET["name"])) {
$name = trim($_GET["name"]);
} else {
$name = "Annerley Library Wifi";
}

$sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = ?";
$stmt = $dbh->prepare($sql);
$stmt->execute(array($name));
$row = $stmt->fetch();
echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")";

30楼巨大八爪鱼 2015-5-30 21:20

注意，那個?同樣不能再加單引號


内容：
用户名：	您目前是匿名发表。
验证码：
	看不清？换一张

	21楼巨大八爪鱼 2015-5-30 20:53 獲取單條記錄 $id = (int)@$_GET["i"]; if ($id < 1) { $id = 1; } $sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots WHERE ItemID = {$id}"; $stmt = $dbh->query($sql); // use $stmt instead of $rs or $result $row = $stmt->fetch(); echo "<b>" . $row[0] . "</b>: " . $row["ItemAddress"]; 輸出： 7th Brigade Park, Chermside: Delaware St
	22楼巨大八爪鱼 2015-5-30 20:55 獲取多條記錄，並循環邊歷記錄集 <?php $sql = "SELECT ItemName, ItemAddress FROM WiFiHotSpots"; $stmt = $dbh->query($sql); // use $stmt instead of $rs or $result foreach ($stmt as $row) { echo "<p><b>" . $row[0] . "</b>: " . $row["ItemAddress"]."</p>"; } ?>
	23楼巨大八爪鱼 2015-5-30 21:00 循環邊歷記錄集可以用多種方法：方法一：foreach ($stmt as $row) { 方法二：while ($row = $stmt->fetch()) { 甚至還可以指定次數： for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) { echo "<p><b>" . $row[0] . "</b>: " . $row["ItemAddress"]."</p>"; }
	24楼巨大八爪鱼 2015-5-30 21:01 while ($row = $stmt->fetch()) { 就相當於原來的： while ($row = mysql_fetch_array($rs)) { for ($i = 0; $i < 4 && $row = $stmt->fetch(); $i++) { 相當於 for ($i = 0; $i < 4 && $row = mysql_fetch_array($rs); $i++) {
	25楼巨大八爪鱼 2015-5-30 21:03 foreach ($stmt as $row) { 只能遍歷整個記錄集，要想指定次數就得改用$row = $stmt->fetch();
	26楼巨大八爪鱼 2015-5-30 21:11 從外部獲取字符串參數並傳入SQL查詢中： <?php if (isset($_GET["name"])) { $name = trim($_GET["name"]); // 去掉字符串兩邊的空格 $name = $dbh->quote($name); // 這個大致相當於原來的用於防止SQL隱碼攻擊的mysql_real_escape_string函數，但是這個函數兩邊自動加上了單引號 //echo $name; } else { $name = "Annerley Library Wifi"; } $sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = {$name}"; //注意不能再加單引號了 $stmt = $dbh->query($sql); $row = $stmt->fetch(); echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")"; ?> 輸出(-27.3739664, 153.078323)
	27楼巨大八爪鱼 2015-5-30 21:15 回復：26樓看PHP官方文檔下面的內容吧： PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver. If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query. Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead. 因此26樓所屬的方法機不推薦使用，應該改用prepare+bind+execute方法。
	28楼巨大八爪鱼 2015-5-30 21:16 而且，不是所有數據庫都兼容$dbh->quote
	29楼巨大八爪鱼 2015-5-30 21:19 改進後的26樓代碼： if (isset($_GET["name"])) { $name = trim($_GET["name"]); } else { $name = "Annerley Library Wifi"; } $sql = "SELECT * FROM WiFiHotSpots WHERE ItemName = ?"; $stmt = $dbh->prepare($sql); $stmt->execute(array($name)); $row = $stmt->fetch(); echo "(" . $row["ItemLatitude"] . ", " . $row["ItemLongitude"] . ")";
	30楼巨大八爪鱼 2015-5-30 21:20 注意，那個?同樣不能再加單引號

今天我來系統地學習一下PDO

回复帖子