php - 来自 PHP 的 PREPARE STMT 查询不起作用

Question

Possible Duplicate:
How can you run a mysqli query with CodeIgniter?

我有一个mysql查询，我试图从php运行它。但是它在codeigniter中给了我一个sql语法错误。当我复制粘贴相同的查询并在 mysql workbench 中运行它时通过替换 @uid和@rangee使用正确的值，它可以正常工作。

这是查询:

$this->db->query("
            SET @uid    = ".mysqli_real_escape_string($conid,$userid).";
            SET @rangee = ".mysqli_real_escape_string($conid,$attempt)." * 50;

            PREPARE STMT FROM 
            '
            UPDATE     
                notificationrecievers 
                SET notificationrecievers.status=1 
                WHERE notificationrecievers.status=0 and notificationrecievers.recieverid=? and 

                notificationrecievers.notificationid <=
                (
                     SELECT MAX(notid) FROM
                     (
                      SELECT n.notid FROM user u,notifications n,notificationrecievers nr WHERE
                      nr.recieverid=? AND u.userid=n.senderid AND nr.notificationid=n.notid ORDER BY n.notid DESC
                      LIMIT 50 OFFSET ?
                     )e
                )   

               AND

                notificationrecievers.notificationid >=
                (
                     SELECT min(notid) FROM
                     (
                      SELECT n.notid FROM user u,notifications n,notificationrecievers nr WHERE
                      nr.recieverid=? AND u.userid=n.senderid AND nr.notificationid=n.notid ORDER BY n.notid DESC
                      LIMIT 50 OFFSET ?
                     )g
                );';
            EXECUTE STMT USING @uid,@uid,@rangee,@uid,@rangee;");

为什么它给我这个错误？

Answer 1

首先，query()方法并不是为了执行多个查询。 接下来，您的代码允许通过 $userid 变量进行注入(inject)。

最好从这些原始准备好的语句转移到二进制准备好的语句，如手册中所述