我想使用数组中的参数在php中准备一个sql查询。它应该是一份准备好的声明。
假设这是带参数的数组
$params = array("arg1" => 1, "arg2" => 0, "arg3" => 1)
我希望我的查询看起来像
SELECT * FROM table WHERE arg1 = 1 AND arg2 = 0 AND arg3 = 1
$qry= 'SELECT * FROM table WHERE ';
foreach($params as $key => $value)
{
$qry .= $key . '=' . $value . ' AND ';
}
$qry = substr($qry, 0, -5); // remove last ' AND '
这应该足以让你入门。根据您运行的MySQL / SQL / PHP版本,您可能需要在变量周围加上引号。此解决方案不涉及sql注入或预处理语句。你可以添加?或者:变量取决于您如何构建准备好的语句。其他选项...您可以将数组内爆为“AND”分隔的字符串。 How to use array variable into mysql query in php/mysql
如果要使用PDO管理预准备语句,请尝试以下代码:
<?php
$servername = "hostname";
$username = "username";
$password = "password";
$dbname = "database";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// prepare sql
$sql = "SELECT * FROM Persons";
// considering this is the array you want to use to prepare the sql
$params = array("LastName" => 1, "FirstName" => 1, "Address" => 1);
foreach($params as $attr => $val) {
$where[] = "$attr = :$attr";
}
$sql .= " where " . join(' and ', $where); // *** where LastName = :LastName and FirstName = :FirstName and Address = :Address
$stmt = $conn->prepare($sql); // *** SELECT * FROM Persons where LastName = :LastName and FirstName = :FirstName and Address = :Address
// bind parameters
foreach($params as $attr => $val) {
$stmt->bindValue(":$attr", $val, PDO::PARAM_STR);
}
$stmt->execute();
//$stmt->debugDumpParams();
echo $stmt->rowCount();
print_r($stmt->fetch());
}
catch(PDOException $e)
{
echo "Error: " . $e->getMessage();
}
或者,如果您想使用mysqli管理预准备语句,请尝试以下操作:
<?php
$servername = "hostname";
$username = "username";
$password = "password";
$dbname = "database";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT * FROM Persons";
// considering this is the array you want to use to prepare the sql
$params = array("LastName" => 1, "FirstName" => 0, "Address" => 1);
$sqltype = "";
foreach($params as $attr => $val) {
$where[] = "$attr = ?";
$sqltype .= 's';
$bind_val[] = $val;
}
$sql .= " where " . join(' and ', $where); // *** SELECT * FROM Persons where LastName = ? and FirstName = ? and Address = ?
// prepare sql
$stmt = $conn->prepare($sql);
// bind parameters
$stmt->bind_param( $sqltype, ...$bind_val ); // *** $stmt->bind_param("sss", 1, 0, 1);
$stmt->execute();
$result = $stmt->get_result();
echo $result->num_rows;
print_r($result);