表名和列名也可以用参数化导入
$sqlLink = init_mysql();
$stmt = $sqlLink->stmt_init();
$sql = 'SELECT ? FROM ?;';
$stmt->prepare($sql);
$stmt->bind_param("ss",'colA','tableA');
$stmt->execute();
//参数化防止注入,如何进行模糊查询?
1.sql = 'SELECT * FROM tableA WHERE col LIKE \'%?%\'';
2.sql = "SELECT * FROM tableA WHERE col LIKE '%?%'";
3.sql = 'SELECT * FROM tableA WHERE col LIKE \'%'.'?'.'%\'';带%模糊查询如何书写SQL的prepare语句
1个回答
采纳
使用参数绑定
$db = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD, $pdo_options);
$query = $database->prepare('SELECT * FROM table WHERE name LIKE :name');
$query->bindValue(':name', '%'.$name.'%', PDO::PARAM_STR);
$query->execute();while ($results = $query->fetch())
{
echo $results['name'];
}