bind_param 和 bind_result 有区别吗?
bind_param and bind_result is there a difference?
我知道使用 mysqli_real_escape_string() 绑定参数 instant 会更好,但由于我的主机,我没有机会使用 mysqlnd 驱动程序。那么使用BIND_RESULT的Bind the Parameter instant是不是更安全呢?这是我的意思的两个例子。对我来说最简单的方法是通过 mysql_real_escape_string () 来完成,但如果我理解正确,那将不再安全,不是吗?
bind_param:
<?php
$link = mysqli_connect("127.0.0.1", "user", "password", "world");
if (!$link)
{
$error = mysqli_connect_error();
$errno = mysqli_connect_errno();
print "$errno: $error\n";
exit();
}
$query = "SELECT Name, Population, Continent FROM Country WHERE Continent=? ORDER BY Name LIMIT 1";
$stmt = mysqli_stmt_init($link);
if(!mysqli_stmt_prepare($stmt, $query))
{
print "Failed to prepare statement\n";
}
else
{
mysqli_stmt_bind_param($stmt, "s", $continent);
$continent_array = array('Europe','Africa','Asia','North America');
foreach($continent_array as $continent)
{
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while ($row = mysqli_fetch_array($result, MYSQLI_NUM))
{
foreach ($row as $r)
{
print "$r ";
}
print "\n";
}
}
}
mysqli_stmt_close($stmt);
mysqli_close($link);
?>
现在 bind_result:
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$query = "SELECT Name, CountryCode FROM City ORDER by ID DESC LIMIT 150,5";
if ($stmt = mysqli_prepare($link, $query)) {
/* execute statement */
mysqli_stmt_execute($stmt);
/* bind result variables */
mysqli_stmt_bind_result($stmt, $name, $code);
/* fetch values */
while (mysqli_stmt_fetch($stmt)) {
printf ("%s (%s)\n", $name, $code);
}
/* close statement */
mysqli_stmt_close($stmt);
}
/* close connection */
mysqli_close($link);
?>
流程的两个不同部分存在很大差异。
bind_param 用于绑定进入查询的变量。
$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent); // <-- This is for the question marks
bind_result 是分配查询中的变量
$stmt = $mysql->prepare("SELECT id, name FROM country");
$stmt->execute();
$stmt->bind_result($col1, $col2); // <-- The values from id will be assigned to $col1, and the values from name will be in $col2, inside your loop
while ($stmt->fetch()) {
printf("%s %s\n", $col1, $col2);
}
它们可以一起使用,也可以完全不使用。例如,您可能希望以另一种方式处理查询中的变量,而我显示的第二个查询根本不需要 bind_param,因为没有要绑定的参数。
我知道使用 mysqli_real_escape_string() 绑定参数 instant 会更好,但由于我的主机,我没有机会使用 mysqlnd 驱动程序。那么使用BIND_RESULT的Bind the Parameter instant是不是更安全呢?这是我的意思的两个例子。对我来说最简单的方法是通过 mysql_real_escape_string () 来完成,但如果我理解正确,那将不再安全,不是吗?
bind_param:
<?php
$link = mysqli_connect("127.0.0.1", "user", "password", "world");
if (!$link)
{
$error = mysqli_connect_error();
$errno = mysqli_connect_errno();
print "$errno: $error\n";
exit();
}
$query = "SELECT Name, Population, Continent FROM Country WHERE Continent=? ORDER BY Name LIMIT 1";
$stmt = mysqli_stmt_init($link);
if(!mysqli_stmt_prepare($stmt, $query))
{
print "Failed to prepare statement\n";
}
else
{
mysqli_stmt_bind_param($stmt, "s", $continent);
$continent_array = array('Europe','Africa','Asia','North America');
foreach($continent_array as $continent)
{
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while ($row = mysqli_fetch_array($result, MYSQLI_NUM))
{
foreach ($row as $r)
{
print "$r ";
}
print "\n";
}
}
}
mysqli_stmt_close($stmt);
mysqli_close($link);
?>
现在 bind_result:
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$query = "SELECT Name, CountryCode FROM City ORDER by ID DESC LIMIT 150,5";
if ($stmt = mysqli_prepare($link, $query)) {
/* execute statement */
mysqli_stmt_execute($stmt);
/* bind result variables */
mysqli_stmt_bind_result($stmt, $name, $code);
/* fetch values */
while (mysqli_stmt_fetch($stmt)) {
printf ("%s (%s)\n", $name, $code);
}
/* close statement */
mysqli_stmt_close($stmt);
}
/* close connection */
mysqli_close($link);
?>
流程的两个不同部分存在很大差异。
bind_param 用于绑定进入查询的变量。
$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent); // <-- This is for the question marks
bind_result 是分配查询中的变量
$stmt = $mysql->prepare("SELECT id, name FROM country");
$stmt->execute();
$stmt->bind_result($col1, $col2); // <-- The values from id will be assigned to $col1, and the values from name will be in $col2, inside your loop
while ($stmt->fetch()) {
printf("%s %s\n", $col1, $col2);
}
它们可以一起使用,也可以完全不使用。例如,您可能希望以另一种方式处理查询中的变量,而我显示的第二个查询根本不需要 bind_param,因为没有要绑定的参数。