我正在使用 SELECT
像这样的查询:
SELECT knowledge.*,
sortflagitems.*
FROM knowledge,
sortflagitems
WHERE sortflagitems.flagid = :FlagID
AND knowledge.id = sortflagitems.kid
AND sortflagitems.cid = :CID
AND knowledge.archived = :Nothing
AND sortflagitems.flagdate <= :Now
ORDER BY sortflagitems.sortorder
这会产生此错误:
Invalid parameter number: number of bound variables does not match number of tokens
但是如果我更改 SELECT
查询到此:
SELECT knowledge.*,
sortflagitems.*
FROM knowledge,
sortflagitems
WHERE sortflagitems.flagid = :FlagID
AND knowledge.id = sortflagitems.kid
AND sortflagitems.cid = :CID
AND knowledge.archived = :Nothing
AND sortflagitems.flagdate = :Now
ORDER BY sortflagitems.sortorder
这不会产生任何错误
请注意这一行 SortFlagItems.FlagDate=:Now
更改自SortFlagItems.FlagDate<=:Now
我唯一的理论是,由于某种原因,当您选择多个表时,您不能使用 <=
运算符(请注意,使用 <
运算符会产生相同的错误)?我想不出其他的了..
这是完整的 PHP 代码:
$DBParams = array('FlagID'=>$_GET['flag'], 'CID'=>$row['CatID'], 'Nothing'=>0, 'Now'=>strtotime('now'));
$results = $Db->rquery('
SELECT Knowledge.*, SortFlagItems.*
FROM Knowledge, SortFlagItems
WHERE SortFlagItems.FlagID=:FlagID
AND Knowledge.id = SortFlagItems.KID
AND SortFlagItems.CID=:CID
AND Knowledge.Archived=:Nothing
AND SortFlagItems.FlagDate<=:Now
ORDER BY SortFlagItems.SortOrder', $DBParams);
这是 rquery
功能:
function rquery($query, $params = NULL) {
$this->_query = filter_var($query, FILTER_SANITIZE_STRING);
$stmt = $this->_prepareQuery();
$stmt->execute($params);
$results = $this->_dynamicBindResults($stmt);
return $results;
}
和构造函数:
public function __construct($host, $username, $password, $db) {
$this->_mysql = new PDO("mysql:host=$host;dbname=$db", $username, $password);
$this->_mysql->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
最佳答案
我的解决方案是从您的方法中删除filter_var:
function rquery($query, $params = NULL) {
$this->_query = $query;
$stmt = $this->_prepareQuery();
$stmt->execute($params);
$results = $this->_dynamicBindResults($stmt);
return $results;
}
该绑定(bind)将阻止您进行 SQL 注入(inject)。
如果需要,您可以在 _dynamicBindResults
内的参数上使用 filter_var()
。
或者您可以在传递查询之前在每个参数上使用它:
$DBParams = array('FlagID'=>filter_var($_GET['flag'], FILTER_SANITIZE_STRING),...);
这里的连接是显式连接:
SELECT Knowledge.*, SortFlagItems.*
FROM Knowledge
INNER JOIN SortFlagItems ON Knowledge.id = SortFlagItems.KID
WHERE SortFlagItems.FlagID=:FlagID
AND SortFlagItems.CID=:CID
AND Knowledge.Archived=:Nothing
AND SortFlagItems.FlagDate<=:Now
ORDER BY SortFlagItems.SortOrder
关于php - 在 MySQL 中选择多个表阻止我使用 <= 表达式,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15144457/