这是我的 sql 查询,它如何被参数化?
我想将“$productId”参数化为动态添加的。
$result = $app->getReadDb()->query("SELECT value FROM catalog_product_entity_varchar WHERE row_id = '".$productId."' AND attribute_id = (SELECT attribute_id FROM eav_attribute WHERE attribute_code = 'name' AND entity_type_id = 4)");
$productName = $result->fetchAll();
“$app->getReadDb()”中有以下方法。
Array
(
[0] => __construct
[1] => prepare
[2] => beginTransaction
[3] => commit
[4] => rollBack
[5] => inTransaction
[6] => setAttribute
[7] => exec
[8] => query
[9] => lastInsertId
[10] => errorCode
[11] => errorInfo
[12] => getAttribute
[13] => quote
[14] => getAvailableDrivers
)
我不确定如何参数化上述查询,有什么想法可以做到吗?
我试过了
$result = $app->getReadDb()->query("SELECT value FROM catalog_product_entity_varchar WHERE row_id = '".$productId."' AND attribute_id = (SELECT attribute_id FROM eav_attribute WHERE attribute_code = 'name' AND entity_type_id = :attribute_name)");
$productName = $app->getReadDb()->fetchAll($result, ['attribute_name' => 4]);
print_r($productName); exit;
但它不起作用
答案 0 :(得分:1)
我不确定 parameterise 的意思。
如果您的意思是将 $productId 连接到 sql 而不是使用 php str concat,则可以像这样使用 PDO PrepareStatement。
$sql = "SELECT value FROM catalog_product_entity_varchar WHERE row_id = :product_id
AND attribute_id =
(SELECT attribute_id FROM eav_attribute WHERE attribute_code = 'name' AND entity_type_id = :attribute_name)"
$statement = $app->getReadDb()->prepare($sql);
$statement->execute(array(':product_id'=>$productId,':attribute_name'=>4));
$productName = statement->fetchAll();
print_r($productName); exit;
如果您的意思不是 $productId 一直存在,您需要根据 $productId 更改 sql,这是一个典型的解决方案
$sql = "SELECT value FROM catalog_product_entity_varchar WHERE 1=1";
if($productId){
$sql .= " and row_id ='{$productId}'";
}
if($attributeName){
$sql .= " and attribute_id =
(SELECT attribute_id FROM eav_attribute WHERE attribute_code = 'name' AND entity_type_id = {$attributeName})";
}
$result = $app->getReadDb()->query($sql);
$productName = $result->fetchAll();
print_r($productName); exit;