在没有引用的情况下使用 PHP MySQLi 准备好的语句?
Use PHP MySQLi prepared statements without references?
有没有办法在不传递引用的情况下使用 MySQLi 准备好的语句?
[背景:我对 PHP 和 MySQL 非常陌生,但我继承了一个私人 WordPress 插件来维护,所以我边学边学。]
我知道预先准备好的语句 are useful for preventing SQL injections and potentially also for speeding up queries (if the statements are kept around) but the need for referenced variables seems odd. Is the idea that one calls bind_param 然后在进行后续查询时只是将数据设置到那些绑定变量中而不是与语句交互吗?
现在我正在重构的代码有 17 个变量传递给 bind_param。我制作了一个 class 来包含所有数据,因此我不再需要将 17 个变量从一个函数传递到另一个函数,但下面显然失败了,因为我的 class 没有返回引用:
$stmt->bind_param('ssssssisssssssssi',
$my_class->get(FIELD_ONE),
$my_class->get(FIELD_TWO),
/*...x15 more...*/)
鉴于代码目前正在 $stmt->execute() 之后立即丢弃 $stmt(因此没有要跟踪的长期变量),我有什么方法可以使用准备好的语句而不用担心创建临时变量以便我可以绑定它们?我可以或应该使用其他 class/interface 吗?
谢谢!
Is the idea that one calls bind_param up front and then when making subsequent queries just sets data into those bound variables rather than interacting with the statement at all?
是的。带有绑定变量的准备语句的典型操作是:
prepare statement;
bind params;
for (some loop) {
assign values to params;
execute statement;
}
在MySQLi you only have the option of bind_param so are restricted to passing references. If you don't mind changing interfaces, you could switch to PDO which has a bindValue function which will work with values rather than references. PDO will also let you avoid a call to bind parameters/values altogether by simply passing an array of values to the statement execute调用中。
是的,有。
不久前,PHP 中添加了一个非常宝贵的功能 - argument unpacking operator。它有十亿种用途,在这种情况下帮助你就是其中之一。
只需在您的值列表之前添加 ...[ 并在之后添加 ] - 瞧,它起作用了!
$stmt->bind_param('ssssssisssssssssi', ...[
$my_class->get(FIELD_ONE),
$my_class->get(FIELD_TWO),
/*...x15 more...*/
]);
提示:也可以使用这个有用的运算符to encapsulate that boring prepare/bind/execute process in a simple function。
有没有办法在不传递引用的情况下使用 MySQLi 准备好的语句?
[背景:我对 PHP 和 MySQL 非常陌生,但我继承了一个私人 WordPress 插件来维护,所以我边学边学。]
我知道预先准备好的语句 are useful for preventing SQL injections and potentially also for speeding up queries (if the statements are kept around) but the need for referenced variables seems odd. Is the idea that one calls bind_param 然后在进行后续查询时只是将数据设置到那些绑定变量中而不是与语句交互吗?
现在我正在重构的代码有 17 个变量传递给 bind_param。我制作了一个 class 来包含所有数据,因此我不再需要将 17 个变量从一个函数传递到另一个函数,但下面显然失败了,因为我的 class 没有返回引用:
$stmt->bind_param('ssssssisssssssssi',
$my_class->get(FIELD_ONE),
$my_class->get(FIELD_TWO),
/*...x15 more...*/)
鉴于代码目前正在 $stmt->execute() 之后立即丢弃 $stmt(因此没有要跟踪的长期变量),我有什么方法可以使用准备好的语句而不用担心创建临时变量以便我可以绑定它们?我可以或应该使用其他 class/interface 吗?
谢谢!
Is the idea that one calls bind_param up front and then when making subsequent queries just sets data into those bound variables rather than interacting with the statement at all?
是的。带有绑定变量的准备语句的典型操作是:
prepare statement;
bind params;
for (some loop) {
assign values to params;
execute statement;
}
在MySQLi you only have the option of bind_param so are restricted to passing references. If you don't mind changing interfaces, you could switch to PDO which has a bindValue function which will work with values rather than references. PDO will also let you avoid a call to bind parameters/values altogether by simply passing an array of values to the statement execute调用中。
是的,有。
不久前,PHP 中添加了一个非常宝贵的功能 - argument unpacking operator。它有十亿种用途,在这种情况下帮助你就是其中之一。
只需在您的值列表之前添加 ...[ 并在之后添加 ] - 瞧,它起作用了!
$stmt->bind_param('ssssssisssssssssi', ...[
$my_class->get(FIELD_ONE),
$my_class->get(FIELD_TWO),
/*...x15 more...*/
]);
提示:也可以使用这个有用的运算符to encapsulate that boring prepare/bind/execute process in a simple function。