1.可以減少sql語句分析
2.防sql注入
如
select *from a where id = ?
在mysql用
set @i='select *from a where id = ? and name=?'
prepare xxx from @i
set @a=5,@b='john'
execute xxx using @a,@b
要刪prepare statement有兩種
deallocate prepare xxx
drop prepare xxx
---php
mysqli
$e=null;
$a=new mysqli('localhost','root','ab789789');
$stmt=$a->prepare("insert into a.a(c)values(?)");
$b='sadf';
$stmt->bind_param('s','ccc'); <-不可以這樣用會出錯,要用變數
$stmt->bind_param('s',$b); <-這樣才對
$stmt->execute();
1.bind_param的第一個參數是指定數據類型,i int d double s string b blob
pdo
和mysqli差在
bind_param 成bindParam
?成:變數
try {
$conn=new PDO("mysql:host=localhost;dbname=a",'root','ab789789');
$conn->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
$stmt=$conn->prepare("insert into a (c)values(:c)");
$a="sss";
$stmt->bindParam(':c',$a); <-
$stmt->execute();
} catch (PDOException $e) {
echo $e->getMessage();
留言列表