【问题标题】:Create a query in mysql php7 with variables? [duplicate]在 mysql php7 中使用变量创建查询? [复制]
【发布时间】:2017-05-18 08:53:48
【问题描述】:

我正在尝试创建一个查询,但它不起作用。 我哪里错了?

$date = new \Datetime(date('d-m-Y'));
$date->add(DateInterval::createFromDateString('- 2 day'));
$date = $date->format('Y-m-d');

$stmt = $pdo->prepare('SELECT company.id as id, email, first_name, last_name, slug FROM company WHERE created < $date AND reminder = 0');

$stmt->execute();
$result = $stmt->fetchAll();

【问题讨论】:

  • 您可能应该使用双引号。除此之外,请准备好您的声明,而不是相信您的数据是 mysql 安全的。
  • 您是否尝试过检查收到的错误并查看发生了什么?您的意图是使用日期变量的值,但您已将其作为 SQL 文本的一部分嵌入。

标签: php mysql pdo


【解决方案1】:
$date = new \Datetime(date('d-m-Y'));
$date->add(DateInterval::createFromDateString('- 2 day'));
$date = $date->format('Y-m-d');

$stmt = $pdo->prepare('SELECT company.id as id, email, first_name, last_name, slug FROM company WHERE created < :date AND reminder = 0');
$stmt->bindParam(':date', $date);

$stmt->execute();
$result = $stmt->fetchAll();

确保将变量绑定到查询中,而不是直接将数据插入到查询中,这被认为是不安全的。 有关这方面的更多信息,请参阅manual

【讨论】:

    【解决方案2】:

    您的查询失败的原因是因为您试图在使用撇号创建的字符串中引用变量,这仅适用于双引号!

    $myvar = 1234;
    $q1 = 'myvar = $myvar'; // myvar = $myvar
    $q2 = "myvar = $myvar"; // myvar = 1234
    

    您还应该像PHP docs 一样正确准备查询。

    $date = new \Datetime(date('d-m-Y'));
    $date->add(DateInterval::createFromDateString('- 2 day'));
    $date = $date->format('Y-m-d');
    
    $stmt = $pdo->prepare("SELECT company.id as id, email, first_name, last_name, slug FROM company WHERE created < :date AND reminder = :reminder");
    
    $stmt->execute([':date' => $date, ':reminder' => 0]);
    $result = $stmt->fetchAll();
    

    通过使用这样的预处理语句,您可以防止 SQL 注入,因为查询的解析方式不同。

    【讨论】:

      【解决方案3】:

      您需要在 SQL 查询中使用连接运算符。 http://php.net/manual/en/language.operators.string.php

      像这样

      $stmt = $pdo->prepare('SELECT company.id as id, email, first_name, last_name, slug FROM company WHERE created < "' . $date . '" AND reminder = 0'); 
      

      编辑 -> 归功于@SheperdOfFire:

      $date = new \Datetime(date('d-m-Y'));
      $date->add(DateInterval::createFromDateString('- 2 day'));
      $date = $date->format('Y-m-d');
      
      $stmt = $pdo->prepare('SELECT company.id as id, email, first_name, last_name, slug FROM company WHERE created < :date AND reminder = 0');
      $stmt->bindParam(':date', $date);
      
      $stmt->execute();
      $result = $stmt->fetchAll();
      

      【讨论】:

        猜你喜欢
        • 2019-06-04
        • 1970-01-01
        • 2013-03-25
        • 1970-01-01
        • 2018-06-29
        • 1970-01-01
        • 2012-01-04
        • 1970-01-01
        相关资源
        最近更新 更多