postgresql缺乏对parameterizd查询的支持 [英] postgresql lacking support for parameterizd queries
问题描述
我通过浏览Google未能找到答案.所以我决定在这里问.我可以使用php pdo在postgre中支持参数化查询吗?
I failed to find out by browing google. So i decided to ask here. Is parameterezed query supported i postgre using php pdo?
如果没有.我怎样才能达到同样的安全性?
If not. How can i reach the same safety?
请注意,安全性因此是绝对必要的.不能选择使用其他数据库.
Note that safety, thus injection prove is an absolute must. Using another database is not an option as a sidenote.
回应Fonini;
像这样的参数化查询:
$st = $db->prepare(
"insert into vendors set
first_name = :first_name,
last_name = :last_name"
);
$st->execute(array(
':first_name' => $vendor->first_name,
':last_name' => $vendor->last_name
));
不使用bindParam
not using bindParam
这不会为我插入.
我的代码如下:
$project = new Project();
$project->id = 'sequence string';
$project->projectName = 'A project name';
$project->saveProject();
并在项目模型中:
public function saveProject() {
$this->_db->query("INSERT INTO projects VALUES (:id,:projectName)", array(':id' => $this->_projectFields['id'], ':projectName' => $this->_projectFields['projectName']))->save();
}
我的db类中的查询方法将查询放在私有$ _query字段中,将aray参数放在私有$ _parameters字段中.然后,我调用save方法,该方法准备语句,将$ this-> _ query作为参数提供给PDO :: prepare(),然后调用PDO :: execute,将$ this-> _ parameters作为参数.无法插入
the query method in my db class puts the query in the private $_query field, and the aray parameter in the private $_parameters field. I then call the save method, which prepares the statement, giving $this->_query as parameter to PDO::prepare(), and then call PDO::execute giving $this->_parameters as parameter. This fails to insert
推荐答案
是的,参数化查询与PHP PDO完美配合.
Yes, parameterized queries work perfectly with PHP PDO.
$db = new PDO('pgsql:host=localhost;dbname=cars', 'user', 'password');
$cars = $db->prepare('SELECT * FROM cars WHERE id = :id');
$cars->bindParam(':id', $id = 20, PDO::PARAM_INT);
$cars->execute();
$result = $cars->fetch();
echo 'Name: ' . $result['name'];
这篇关于postgresql缺乏对parameterizd查询的支持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
