@(PDO(PHP data object/PHP数据对象))[PDO|预处理语句|参数化查询]
PDO Tutorial for MySQL Developers
Using Prepared Statements to Stop Injection AttacksThe database library called PHP Data Objects or PDO for short can use drivers for many different database types, and supports a very important feature known as
prepared statements, sometimes also known asparametrized queries.
PDO::prepare
Paste_Image.png
在执行之前,对一条语句进行预处理,并返回一个语句对象。
预处理一条 SQL 语句,以便 PDOStatement::execute() 方法执行。该 SQL 语句可以包含 0 或更多个命名参数(:name)或问号参数(?),这些参数的真实值在语句执行的时候会被替换掉。使用这些参数绑定所有的用户输入的数据,不要在查询中直接包含用户输入的数据。
返回值:
如果数据库服务器成功地预处理了该语句,PDO::prepare() 将会返回一个 PDOStatement 对象;否则,返回 false 或 抛出 PDOException(依 error handling 而定)。
模拟的预处理语句并没有与数据库服务器进行通信,所以
PDO::prepare()并没有检查该语句。
PDOStatement::bindParam
Paste_Image.png
原来 PDO 官方手册的简要描述的描述顺序有点怪怪的,并且后面的详细描述也不一致。所以这里把简要描述跟详细描述中的描述顺序统一一下。
Binds the specified variable name to a parameter.
绑定 指定的变量名(只能是 $name 的形式)到 一个参数(:name 或 ?参数 ,可以是 :name 或 从1 开始的索引 的形式)。
绑定 一个 PHP 变量 到 预处理语句中对应的命名占位符或问号占位符。
与 PDOStatement::bindValue() 不同的是:PDOStatement::bindParam() 中的变量是作为引用而绑定的,并且只有在调用 PDOStatement::execute() 的时候才会读取这个变量的值。
Note we used
bindValueand notbindParam. Trying to bind a parameter by reference will generate a Fatal Error and this cannot be caught byPDOExceptioneither.
但如果需要循环执行预处理语句,最好使用bindParam,具体原因见对应的章节:Executing prepared statements in a loop。
返回值:
成功则返回 true,失败则返回 false
例如:
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->bindParam(1, $calories, PDO::PARAM_INT);
$sth->bindParam(2, $colour, PDO::PARAM_STR, 12);
$sth->execute();
PDOStatement::bindValue
Paste_Image.png
Binds a value to a parameter.
绑定 一个值(可以是 $name 或 'Jack' 的形式) 到 一个参数(:name 或 ?参数 ,可以是 :name 或 从1 开始的索引 的形式)。
绑定 一个值 到 预处理语句中对应的命名占位符或问号占位符。
返回值:
成功则返回 true,失败则返回 false
例如:
$stm->bindValue(':name',$name);
$stm->bindValue(':name','Jack');
PDOStatement::execute
Paste_Image.png
Executes a prepared statement.
执行一条 经过预处理的语句。
如果预处理语句中包含占位符,则必须执行以下两点之一:
- 调用PDOStatement::bindParam() 或 PDOStatement::bindValue() 把变量或值绑定到占位符上。
- 或 传入一个数组
1. 参数:
$input_parameters:一个数组。数组的元素数量 应该与 需要执行的 SQL 语句中占位符数量 相等。
所有的值作为
PDO::PARAM_STR处理。不能绑定多个值到一个单独的参数;比如,不能绑定两个值到
IN()子句中一个单独的命名占位符。绑定值的数量不能超过指定的数量。如果在
$input_parameters的键名数量 比PDO::prepare()中的 SQL 语句中指定的参数的数量还要多,则该语句将会失败并发出一个错误。$input_parameters中的键名 必须和 SQL 中声明的 相匹配。在 PHP 5.2.0 之前,这是被忽略的。
2. 返回值:
成功则返回 true,失败则返回 false
例如:
/* Execute a prepared statement by passing an array of insert values */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->execute(array(':calories' => $calories, ':colour' => $colour));
/* Execute a prepared statement by passing an array of insert values */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->execute(array($calories, $colour));
Preparing Statements using SQL functions
You may ask how do you use SQL functions with prepared statements. I’ve seen people try to bind functions into placeholders like so:
//THIS WILL NOT WORK!
$time = 'NOW()';
$name = 'BOB';
$stmt = $db->prepare("INSERT INTO table(`time`, `name`) VALUES(?, ?)");
$stmt->execute(array($time, $name));
This does not work, you need to put the function in the query as normal:
$name = 'BOB';
$stmt = $db->prepare("INSERT INTO table(`time`, `name`) VALUES(NOW(), ?)");
$stmt->execute(array($name));
You can bind arguments into SQL functions however:
$name = 'BOB';
$password = 'badpass';
$stmt = $db->prepare("INSERT INTO table(`hexvalue`, `password`) VALUES(HEX(?), PASSWORD(?))");
$stmt->execute(array($name, $password));
Also note that this does NOT work for LIKE statements:
//THIS DOES NOT WORK
$stmt = $db->prepare("SELECT field FROM table WHERE field LIKE %?%");
$stmt->bindParam(1, $search, PDO::PARAM_STR);
$stmt->execute();
So do this instead:
$stmt = $db->prepare("SELECT field FROM table WHERE field LIKE ?");
$stmt->bindValue(1, "%$search%", PDO::PARAM_STR);
$stmt->execute();
Note we used
bindValueand notbindParam. Trying to bind a parameter by reference will generate a Fatal Error and this cannot be caught byPDOExceptioneither.
但如果需要循环执行预处理语句,最好使用bindParam,具体原因见对应的章节:Executing prepared statements in a loop。
Executing prepared statements in a loop
Prepared statements excel in being called multiple times in a row with different values.
Because the sql statement gets compiled first, it can be called multiple times in a row with different arguments, and you’ll get a big speed increase vs calling mysql_query over and over again!
Typically this is done by binding parameters with bindParam. bindParam is much like bindValue except instead of binding the value of a variable, it binds the variable itself, so that if the variable changes, it will be read at the time of execute.
$values = array('bob', 'alice', 'lisa', 'john');
$name = '';
$stmt = $db->prepare("INSERT INTO table(`name`) VALUES(:name)");
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
foreach($values as $name) {
$stmt->execute();
}
Transactions
Here’s an example of using transactions in PDO: (note that calling beginTransaction() turns off auto commit automatically):
try {
$db->beginTransaction();
$db->exec("SOME QUERY");
$stmt = $db->prepare("SOME OTHER QUERY?");
$stmt->execute(array($value));
$stmt = $db->prepare("YET ANOTHER QUERY??");
$stmt->execute(array($value2, $value3));
$db->commit();
} catch(PDOException $ex) {
//Something went wrong rollback!
$db->rollBack();
echo $ex->getMessage();
}
