何时使用 PDO 准备查询.mysql_real_escape 错误 [英] When to use PDO prepared queries. mysql_real_escape error

问题描述

我正在制作一个 php 网站，在我的本地机器上开发.对此真的很陌生，所以这是我尝试过的第一件事.当我搬到我的主机时，我收到以下错误:

I'm been making a php site, developing on my local machine. Really new to this so this is the first thing i've ever attempted. When I moved to my host, i get the following error:

 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied             for user 'matthew'@'localhost' (using password: NO)  on line 11

我在这里搜索了很多，我很确定这是因为我需要准备"我的查询.我不确定什么时候准备正确，什么时候不正确.我在下面添加了一些查询以进行详细解释:

I've searched on here a fair bit and I'm pretty sure its because i need to 'prepare' my queries. What I am unsure of is when is it correct to prepare, and when not. I've added some of my queries below to explain in detail:

连接到数据库:

$hostname = "localhost";
$username = "root";
$password = "root";

try {
    $dbh = new PDO("mysql:host=$hostname;dbname=wmpt", $username, $password);
//echo "Connected to database"; // check for connection
    }
catch(PDOException $e)
    {
    echo $e->getMessage();
    }

这是一个示例查询:

$username = mysql_real_escape_string($_POST['run']);


$STH = $dbh->query("SELECT * FROM tblusers WHERE username = '$username' ");
$STH->setFetchMode(PDO::FETCH_ASSOC);  
$result = $STH->fetch();

我的问题是，如果我使用用户提交的数据查询/插入/更新数据库，我是否只需要准备"一个查询?

My question is, do I only need to "prepare" a query if I am querying/inserting/updating the DB with user submitted data?

上面的查询是不好的做法吗?如果它不包含用户提交的数据怎么办，即我想查询

Is the above query bad practice? What if it didnt contain user submitted data, ie i wanted to query

 $STH = $dbh->query("SELECT * FROM tblusers WHERE username LIKE '%hotmail%' ");

这可能是一个不好的例子，但我正在说明一个开发人员定义的查询.

That probably a bad example, but I'm illustrating a developer defined query.

这是我得到的原因吗，我该如何避免:

Is this the reason I get, and how i can avoid:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for     user 'matthew'@'localhost' (using password: NO)  on line 11

推荐答案

如果您使用 PDO，则不应使用 mysql_real_escape_string.PDO 库有一个非常强大的 SQL 占位符方法 做得更好.

If you're using PDO, you should not be using mysql_real_escape_string. The PDO library has a very robust SQL placeholder method that does a much better job.

$STH = $dbh->query("SELECT * FROM tblusers WHERE username = :username");
$STH->bindParam(':username', $username);
$STH->setFetchMode(PDO::FETCH_ASSOC);  
$result = $STH->fetch();

这篇关于何时使用 PDO 准备查询.mysql_real_escape 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！