我正在为课堂制作游戏,我决定在其中包含可以修改设置的管理区域。目前,这就是我建立数据库连接的方式:
db_config.php:
<?php
defined('DB_SERVER') ? null : define('DB_SERVER', 'localhost');
defined('DB_USER') ? null : define('DB_USER', 'root');
defined('DB_PASS') ? null : define('DB_PASS', 'root');
defined('DB_NAME') ? null : define('DB_NAME', 'game');
?>
database.php中:
<?php
require_once('db_config.php');
class DatabaseConnect {
public function __construct($db_server, $db_user, $db_pass, $db_name) {
if (!@$this->Connect($db_server, $db_user, $db_pass, $db_name)) {
echo 'Connection failed.';
} else if ($this->Connect($db_server, $db_user, $db_pass, $db_name)){
}
}
public function Connect($db_server, $db_user, $db_pass, $db_name) {
if (!mysqli_connect($db_server, $db_user, $db_pass, $db_name)) {
return false;
} else {
return true;
}
}
}
$connection = new DatabaseConnect(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
?>
到目前为止,我在查询中使用了mysql_real_escape_string,我知道我不应该手动转义。我还在学习PHP,所以有些事情需要我一段时间才能掌握。我已经看过php.net准备好的声明手册,但我不确定是否需要改变我连接数据库的方式。
所以基本上我要问的是,如果我有这个查询(或任何查询):
if (isset($_POST['submit'])) {
// Process the form
$id = $current_page["id"];
$menu_name = mysql_prep($_POST["menu_name"]);
$position = (int) $_POST["position"];
$visible = (int) $_POST["visible"];
$content = mysql_prep($_POST["content"]);
// validations
$required_fields = array("menu_name", "position", "visible", "content");
validate_presences($required_fields);
$fields_with_max_lengths = array("menu_name" => 30);
validate_max_lengths($fields_with_max_lengths);
if (empty($errors)) {
// Perform Update
$query = "UPDATE pages SET ";
$query .= "menu_name = '{$menu_name}', ";
$query .= "position = {$position}, ";
$query .= "visible = {$visible}, ";
$query .= "content = '{$content}' ";
$query .= "WHERE id = {$id} ";
$query .= "LIMIT 1";
$result = mysqli_query($connection, $query);
if ($result && mysqli_affected_rows($connection) == 1) {
// Success
$_SESSION["message"] = "Page updated.";
redirect_to("manage_content.php?page={$id}");
} else {
// Failure
$_SESSION["message"] = "Page update failed.";
}
}
} else {
// This is probably a GET request
} // end: if (isset($_POST['submit']))
?>
如何将其更改为准备好的声明?
答案 0 :(得分:2)
对于SQL部分,请尝试使用&gt;&gt;
$records_found = 0;
$record = false;
$cn = mysqli_connect($host, $user, $pass, $data);
$query = "UPDATE pages SET menu_name=?, position=?, visible=?, content=? WHERE id=? LIMIT 1"
$stmt = mysqli_prepare($cn, $query);
$stmt->bind_param("s", $menu_name);
$stmt->bind_param("s", $position);
$stmt->bind_param("s", $visible);
$stmt->bind_param("s", $content);
$stmt->bind_param("d", $id);
$result = $stmt->execute();
if($result) {
$result = $stmt->get_result();
if($result) {
while($row = $result->fetch_assoc()) {
if($records_found == 1) {
break;
}
$record = $row;
$records_found++;
}
mysqli_free_result($result);
}
}
mysqli_close($cn);
// Output the record found if any
if($record) {
var_export($record);
} else {
echo 'No records found';
}
另外,请阅读此处的文档&gt;&gt; mysqli.prepare&lt;&lt;因为有一些非常好的例子。
**注意:上面的解决方案提供了完整的代码,从连接到数据库,关闭连接并释放所消耗的内存,后面的条件块允许您使用生成的行(如果找到)。基本上,除了or die(mysqli_error($cn));之外,所有陷阱都是完整的。
答案 1 :(得分:1)
这是您创建预备声明的方式。
$query = "UPDATE pages SET menu_name=?, position = ?,
visible=?, content=? WHERE id=? LIMIT 1";
$stmt = mysqli_prepare($connection, $query);
$result = false;
if($stmt){
mysqli_stmt_bind_param( $stmt, "ssdsd", $menu_name,
$position, $visible, $content,$id );
$result = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
}
if($result){
//Successful
}
else{
//Unsuccessful
}
我对数据库中的字段类型做了一些假设,但符号在mysqli_stmt_bind_param中,'s'代表字符串,'d'代表整数。