我可以在数组的每次迭代中调用存储过程吗? PHP
Can I call a stored procedure on each iteration of an array? PHP
我想遍历表示 table 的列和值的关联数组,并在每次迭代时调用一个存储过程,将每个值插入到其各自的列中。该协会。数组和循环如下所示:
public static function update(
int $auctionId,
string $title,
string $description
) : void
{
$new = [
'auction_title' => $title,
'description' => $description
];
foreach ($new as $columnName => $value) {
Database::conn()->callSP('sp_auctions_update', [$auctionId, $columnName, $value]);
}
}
存储过程如下所示:
DELIMITER $$
DROP PROCEDURE IF EXISTS sp_auctions_update $$
CREATE PROCEDURE sp_auctions_update(
IN auctionId INT UNSIGNED,
IN columnName,
IN value,
)
SQL SECURITY INVOKER
MODIFIES SQL DATA
BEGIN
UPDATE auctions SET @columnName=@value, WHERE id=@auctionId;
END $$
DELIMITER ;
这可以吗?或者有更好的选择吗?非常感谢
do you know what the prepared statement would look like in this instance?
CREATE PROCEDURE sp_auctions_update(
IN auctionId INT UNSIGNED,
IN columnName VARCHAR(64),
IN `value` INT UNSIGNED
)
SQL SECURITY INVOKER
MODIFIES SQL DATA
BEGIN
-- Build SQL query text, insert column name from variable into it
SET @sql := CONCAT('UPDATE auctions SET ', columnName, '=? WHERE id=?;');
-- Reassign parameters values from local variables to user-defined ones
-- because local variables cannot be used in USING
SET @value := `value`;
SET @auctionId := auctionId;
-- Prepare and execute the query
PREPARE stmt FROM @sql;
EXECUTE stmt USING @value, @auctionId;
DEALLOCATE PREPARE stmt;
END
或者,您可以将所有参数值连接到查询文本中:
CREATE PROCEDURE sp_auctions_update(
IN auctionId INT UNSIGNED,
IN columnName VARCHAR(64),
IN `value` INT UNSIGNED
)
SQL SECURITY INVOKER
MODIFIES SQL DATA
BEGIN
-- Build SQL query text, insert parameters from variables into it
SET @sql := CONCAT('UPDATE auctions SET ', columnName, '=\'', `value`, '\' WHERE id=', auctionId, ';');
-- Prepare and execute the query
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END
注意。
columnName 参数值被插入到 SQL 查询文本 as-is - 所以注入是可能的。您必须添加控制此参数值的代码。例如,您可以检查 table 结构中是否存在具有提供名称的列。
另外 2 个参数由于其数字数据类型而不能作为注入源。
我想遍历表示 table 的列和值的关联数组,并在每次迭代时调用一个存储过程,将每个值插入到其各自的列中。该协会。数组和循环如下所示:
public static function update(
int $auctionId,
string $title,
string $description
) : void
{
$new = [
'auction_title' => $title,
'description' => $description
];
foreach ($new as $columnName => $value) {
Database::conn()->callSP('sp_auctions_update', [$auctionId, $columnName, $value]);
}
}
存储过程如下所示:
DELIMITER $$
DROP PROCEDURE IF EXISTS sp_auctions_update $$
CREATE PROCEDURE sp_auctions_update(
IN auctionId INT UNSIGNED,
IN columnName,
IN value,
)
SQL SECURITY INVOKER
MODIFIES SQL DATA
BEGIN
UPDATE auctions SET @columnName=@value, WHERE id=@auctionId;
END $$
DELIMITER ;
这可以吗?或者有更好的选择吗?非常感谢
do you know what the prepared statement would look like in this instance?
CREATE PROCEDURE sp_auctions_update(
IN auctionId INT UNSIGNED,
IN columnName VARCHAR(64),
IN `value` INT UNSIGNED
)
SQL SECURITY INVOKER
MODIFIES SQL DATA
BEGIN
-- Build SQL query text, insert column name from variable into it
SET @sql := CONCAT('UPDATE auctions SET ', columnName, '=? WHERE id=?;');
-- Reassign parameters values from local variables to user-defined ones
-- because local variables cannot be used in USING
SET @value := `value`;
SET @auctionId := auctionId;
-- Prepare and execute the query
PREPARE stmt FROM @sql;
EXECUTE stmt USING @value, @auctionId;
DEALLOCATE PREPARE stmt;
END
或者,您可以将所有参数值连接到查询文本中:
CREATE PROCEDURE sp_auctions_update(
IN auctionId INT UNSIGNED,
IN columnName VARCHAR(64),
IN `value` INT UNSIGNED
)
SQL SECURITY INVOKER
MODIFIES SQL DATA
BEGIN
-- Build SQL query text, insert parameters from variables into it
SET @sql := CONCAT('UPDATE auctions SET ', columnName, '=\'', `value`, '\' WHERE id=', auctionId, ';');
-- Prepare and execute the query
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END
注意。
columnName 参数值被插入到 SQL 查询文本 as-is - 所以注入是可能的。您必须添加控制此参数值的代码。例如,您可以检查 table 结构中是否存在具有提供名称的列。
另外 2 个参数由于其数字数据类型而不能作为注入源。