mysql 到 pdo：我做对了吗？

Question

(browseroutput.jpg)

我刚刚将旧的 mysql_* from 旧教程切换到 PDO，想知道我是否做对了。我没有得到 mysql_* 和 PDO，它们是驱动程序还是只是获取数据的不同变体？

我的代码可以正常工作，但我有点怀疑它是否有效，因为我是初学者。

  <?php
  // New PDO variant   

  try {
     $user = "user";
     $pass = "";

     $pdo = new PDO('mysql:host=localhost;dbname=testdb', $user, $pass);

     //build query
     $age = $_GET['age'];
     $sex = $_GET['sex'];
     $wpm = $_GET['wpm'];

     $query = "SELECT * FROM ajax_example WHERE sex = '$sex'";

     if(is_numeric($age))
     $query .= " AND age <= $age";

     if(is_numeric($wpm))
     $query .= " AND wpm <= $wpm";

     $stmt = $pdo->prepare($query);

     $display_string = "<table>";
     $display_string .= "<tr>";
     $display_string .= "<th>Name</th>";
     $display_string .= "<th>Age</th>";
     $display_string .= "<th>Sex</th>";
     $display_string .= "<th>WPM</th>";
     $display_string .= "</tr>";

     $stmt->execute(array('name' => $name));

     foreach ($stmt as $row) {
        $display_string .= "<tr>";
        $display_string .= "<td>$row[name]</td>";
        $display_string .= "<td>$row[age]</td>";
        $display_string .= "<td>$row[sex]</td>";
        $display_string .= "<td>$row[wpm]</td>";
        $display_string .= "</tr>";
     }

     echo "Query: " . $query . "<br />";

     $display_string .= "</table>";
     echo $display_string;
     $dbh = null;

  } catch (PDOException $e) {
     print "Error!: " . $e->getMessage() . "<br/>";
     die();
  }
  ?>

Answer 1

您应该使用preparedstatement并使用?传递参数，例如：

$sth = $dbh->prepare('SELECT * FROM ajax_example WHERE sex = ?');
$sth->execute(array('male'));

查询和参数（显然）会根据 $age 和 $wpm 的值而变化，但使用准备好的语句和绑定参数将有助于防止 SQL Injection.

Answer 2

你几乎是对的，你只是错过了要点 prepare()

<?php
// New PDO variant   
try {
    $user = "user";
    $pass = "";

    $pdo = new PDO('mysql:host=localhost;dbname=testdb', $user, $pass);

    //build query
    $age = intval($_GET['age']);
    $sex = $_GET['sex'];
    $wpm = intval($_GET['wpm']);

    $query = "SELECT * FROM ajax_example WHERE sex = ? AND age <= ? AND wpm <= ?";
    $stmt  = $pdo->prepare($query);

    $stmt->execute(array($sex,$age,$wpm));

    $results = $stmt->fetchall();
    if (count($results > 0)) {
        echo "<table>";
        echo "<tr>";
        echo "<th>Name</th>";
        echo "<th>Age</th>";
        echo "<th>Sex</th>";
        echo "<th>WPM</th>";
        echo "</tr>";
        foreach ($results as $row) {
            echo "<tr>";
            echo "<td>" . $row['name'] . "</td>";
            echo "<td>" . $row['age'] . "</td>";
            echo "<td>" . $row['sex'] . "</td>";
            echo "<td>" . $row['wpm'] . "</td>";
            echo "</tr>";
        }
        echo "</table>";
    }else{

        echo "no results available";
    }
}
catch (PDOException $e) {
    echo "Error!: " . $e->getMessage() . "<br/>";

}
?>

mysql 到 pdo：我做对了吗？

mysql_ to pdo: did i do it right?

php

mysql

pdo

driver