在 php bind_param 函数中插入 SQL 语句
Insert SQL statements in php bind_param function
所以我正在尝试使用 sql 命令准备来避免注入,但我不知道如何使用 SQL 语句 bind_param 函数。我的代码是这样的:
function saveContent($POST_DATA) {
$conn = new mysqli("HOST", "USER", "PASSWORD");
if ($conn->connect_error) {
return false;
} else {
$command = $conn->prepare("INSERT INTO events (title, dateHappening, time, topic,
subtopic, extraMessage) VALUES (?, ?, ?, ?, ?, ?)";
$command->bind_param("ssssss", $POST_DATA["inputTitre"], $POST_DATA["inputDate"],
$POST_DATA["inputHour"], $POST_DATA["selectTopic"], $POST_DATA["selectSubTopic"],
$POST_DATA["inputMessage"]);
$command->execute();
$command->close();
$conn->close();
}
}
这里的问题是,如果 extraMessage 为空,我希望它为 NULL(因为该字段不是必填字段)。为了优化这段代码,我想使用类似
的东西
NULLIF($POST_DATA["inputMessage"], "")
是否可以在 bind_param 函数中插入上述语句?
问题已解决(见我问题下的评论):
No. You have to write all the SQL expressions in the query and only insert the placeholder where the value goes. So, essentially, you would put NULLIF(?, "") in the query instead of just a ?. –
所以我正在尝试使用 sql 命令准备来避免注入,但我不知道如何使用 SQL 语句 bind_param 函数。我的代码是这样的:
function saveContent($POST_DATA) {
$conn = new mysqli("HOST", "USER", "PASSWORD");
if ($conn->connect_error) {
return false;
} else {
$command = $conn->prepare("INSERT INTO events (title, dateHappening, time, topic,
subtopic, extraMessage) VALUES (?, ?, ?, ?, ?, ?)";
$command->bind_param("ssssss", $POST_DATA["inputTitre"], $POST_DATA["inputDate"],
$POST_DATA["inputHour"], $POST_DATA["selectTopic"], $POST_DATA["selectSubTopic"],
$POST_DATA["inputMessage"]);
$command->execute();
$command->close();
$conn->close();
}
}
这里的问题是,如果 extraMessage 为空,我希望它为 NULL(因为该字段不是必填字段)。为了优化这段代码,我想使用类似
NULLIF($POST_DATA["inputMessage"], "")
是否可以在 bind_param 函数中插入上述语句?
问题已解决(见我问题下的评论):
No. You have to write all the SQL expressions in the query and only insert the placeholder where the value goes. So, essentially, you would put
NULLIF(?, "")in the query instead of just a?. –