我目前正在使用已弃用的代码从用户那里获取数据,如下所示:
/* retrieve */
$lastName = $_POST['lastName'];
$firstName = $_POST['firstName'];
$examLevel=$_POST['level'];
/* connect */
$dbc=mysql_connect("localhost", "user", "passw") or die('Error connecting to MySQL server');
mysql_select_db("db") or die('Error selecting database.');
/* sanitize */
$lastName=mysql_real_escape_string($lastName);
$firstName=mysql_real_escape_string($firstName);
$examLevel=mysql_real_escape_string($examLevel);
/* insert */
$query_personal = "INSERT INTO personal (LastName, FirstName) VALUES ('$lastName', '$firstName')";
$query_exam = "INSERT INTO exam (Level, Centre, BackupCentre, etc.) VALUES ('$examLevel', '$centre', '$backup', 'etc')";
这是可行的,但我不断收到有关安全和缺乏支持的警告。有一个小的重写以 connect with mysqli 而不是 mysql 但是 mysqli_real_escape_string 呢?我已经看到它在示例中使用,但我也看到了使用准备好的语句而不是不使用 mysqli_real_escape_string 的建议。
我将如何使用准备好的语句来插入我的数据?到目前为止,我有点不知所措。例如,参数绑定(bind)是否仅适用于 INSERT,结果绑定(bind)仅适用于 SELECT?
最佳答案
将其转换为 PDO
/* connect */
$dsn = "mysql:host=localhost;db=test;charset=utf8";
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,"user", "passw", $opt);
/* insert */
$query = "INSERT INTO personal (LastName, FirstName) VALUES (?, ?)";
$stmt = $pdo->prepare($query);
$stmt->execute(array($_POST['lastName'],$_POST['firstName']));
$query = "INSERT INTO exam (Level, Centre, BackupCentre, etc) VALUES (?, ?, ?, 'etc')";
$stmt = $pdo->prepare($query);
$stmt->execute(array($_POST['level'], $centre, $backup));
关于php - 如何从 mysql* 升级到 mysqli*?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16220013/