如何为动态 sql 语句准备 mysqli 语句

Question

我想为动态 SQL 语句制作一个准备好的语句，该语句取决于用户决定。所以我事先不知道它会是什么样子。我不能提前为它做一个'template'。例如：

<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$conn = new mysqli('localhost','root','','test');

if (isset($_POST['submit'])){

$build = "";

 if(!empty($_POST['city'])){
 $city=$_POST['city'];
 $build.= "AND city= $city ";

   }

 if(!empty($_POST['type'])){
 $type=$_POST['type'];
 $build.= "AND type = $type ";

   }

  $build= substr_replace($build,'',0,3);

  $sql = "SELECT * FROM proizvodi WHERE $build";

  $search=$conn->query($sql);

  $num = $search->num_rows;

        if($num>0){

            echo "<table>";

            while($row = $search->fetch_object()){
            echo "<tr>";

            echo "<td>".$row->name."</td>";
            echo "<td>".$row->surname."</td>";
            echo "<td>".$row->price."</td>";

            echo "</tr>";
    }       
            echo "</table>";
    }

}else{
     echo "Put some value";
}

?>
<form action="" method="post">
<input type="text" name="house" id="city"/>City
<input type="text" name="flat" id="type"/>Type
<input type="submit" name="submit" id="submit" value="Submit"/>
</form>

我有一些想法为每个 $build 字符串制作准备语句，但我不确定这是否可行，以及如果我有几十个可能的用户输入怎么办。那将是太多的代码。有没有更优雅的方法来做到这一点？谢谢！

Answer 1

这可能对你有帮助@Bunny Davis，

$data  = $_POST[];
$query = "SELECT * FROM proizvodi WHERE 1";
foreach ($data as $key => $value) {
    $query .= " AND $key ='$value'";
}
//now $query is your final query

Answer 2

根据上述想法构建准备好的语句时，您需要考虑如何构建 SQL 和绑定变量。

$build = "";
$bindType = "";   // String for bind types
$data = [];   // Array for the bound fields

if(!empty($_POST['city'])){
    $bindType .= "s";             // This is a string bind
    $data[] = $_POST['city'];     // Add the field into the list of bound fields
    $build .= "AND city= ? ";     // ? for the bound field
}

因此，对您要使用的每个字段重复此模式（除了不要重新初始化各种内容，包括 $data 数组）。将每个项目添加到 $bindType 会构建一个与 http://php.net/manual/en/mysqli-stmt.bind-param.php.

上一样的各种类型的字符串

然后执行查询，使用 splat 运算符 (...) 绑定数组值...

$sql = "SELECT * FROM proizvodi WHERE $build";

$search=$conn->prepare($sql);
$search->bind_param($bindType, ...$data);
$search->execute();

如何为动态 sql 语句准备 mysqli 语句

How to make prepared mysqli statements for dynamic sql statement

php

mysqli

prepared-statement