PHP学习笔记【三】之《数据库抽象层PDO---PDOStatement对象的使用》

一、quote()方法防止SQL注入

<?php
header('content-type:text/html;cahrset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbanme=my_db','root','');
//$pdo->quote($username);
//$sql="select * from user where username='{$username}' and password='{$password}'";
//echo $sql;
//通过quote():返回带引号的字符串，过滤字符串中你的特殊字符
$username=$pdo->quote($username);
$sql="select * from user where username={$username} and password='{$password}'";
echo $sql;
$stmt=$pdo->qurey($sql);
//PDOStatement对象的方法：rouCount():对于select操作返回的结果集中记录的条数，
//对于INSERT\UPDATE\DELECT返回受影响的记录的条数
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>

二、预处理语句中占位符的使用

1、通过quote():返回带引号的字符串，过滤字符串中你的特殊字符

<?php
header('content-type:text/html;cahrset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbanme=my_db','root','');
//$pdo->quote($username);
//$sql="select * from user where username='{$username}' and password='{$password}'";
//echo $sql;
//通过quote():返回带引号的字符串，过滤字符串中你的特殊字符
$username=$pdo->quote($username);
$sql="select * from user where username={$username} and password='{$password}'";
echo $sql;
$stmt=$pdo->qurey($sql);
//PDOStatement对象的方法：rouCount():对于select操作返回的结果集中记录的条数，
//对于INSERT\UPDATE\DELECT返回受影响的记录的条数
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>

2、:username/:password 作为占位符进行预处理

<?php
header('content-type:text/html;charset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql="select * from user where username=:username and password=:password";
$stmt=$pdo->prepare($sql);
$stmt->excute(array(":username"=>$username,":password"=>$password));
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>

3、？ 作为占位符进行预处理

<?php
header('content-type:text/html;charset=utf-8');
$username=$_POST['username'];
$password=$_POST['password'];
try
{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql="select * from user where username=? and password=?";
$stmt=$pdo->prepare($sql);
$stmt->excute(array($username,$password));
echo $stmt->rowCount();

}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>

三、bindParam()方法绑定参数

1、绑定一个PHP变量到用作预处理的SQL语句中的对应命名占位符

<?php
header('content-type:text/html;cahrset=utf-8');
try {
$pdo = new PDO('mysql:host=localhost;dbanme=my_db', 'root', '');
$sql="INSERT user(username,password,email)Values(:username,:password,:email)";
$stmt-=$pdo->prepare($sql);
$stmt->bindParam(":username",$username,PDO::PARAM_STR);
$stmt->bindParam(":password",$password,PDO::PARAM_STR);
$stmt->bindParam(":email",$email);
$username='zzc';
$password='zzc';
$email='zzc@qq.com';
$stmt->excute();
$username='jason';
$password='jaosn';
$email='jason@qq.com';
$stmt->excute();
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>

2、绑定一个PHP变量到用作预处理的SQL语句中的对应问号占位符

(对于使用问号占位符的预处理语句，应是以1开始索引的参数位置。)

<?php
header('content-type:text/html;cahrset=utf-8');
try {
$pdo = new PDO('mysql:host=localhost;dbanme=my_db', 'root', '');
$sql="INSERT user(username,password,email)Values(?,?,?)";
$stmt-=$pdo->prepare($sql);
$stmt->bindParam(1,$username);
$stmt->bindParam(2,$password);
$stmt->bindParam(3,$email);
$username='THIS IS A TEST';
$password='THIS IS A TEST';
$email='test@qq.com';
$stmt->excute();
echo $stmt->rowCount();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>

四、bindValue()方法绑定参数

1、绑定一个值到用作预处理的 SQL 语句中的对应命名占位符

<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=imooc','root','');
$sql='INSERT user(username,password,email) VALUES(:username,:password,:email)';
$stmt=$pdo->prepare($sql);
$username='zzc11';
$password='zzc11';
$stmt->bindValue(':username',$username);
$stmt->bindValue(':password',$password);
$stmt->bindValue(':email','zzc11@qq.com');
$stmt->execute();
echo $stmt->rowCount();
$username='zzc22';
$password='zzc22';
$stmt->bindValue(':username',$username);
$stmt->bindValue(':password',$password);
$stmt->bindValue(':email','zzc22@qq.com');
$stmt->execute();
echo $stmt->rowCount();
}catch(PDOException $e){
echo $e->getMessage();
}
?>

2、绑定一个值到用作预处理的 SQL 语句中的对应问号占位符

<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='INSERT user(username,password,email) VALUES(?,?,?)';
$stmt=$pdo->prepare($sql);
$username='zzc';
$password='zzc';
$stmt->bindValue(1,$username);
$stmt->bindValue(2,$password);
$stmt->bindValue(3,'123456@qq.com');
$stmt->execute();
echo $stmt->rowCount();
$username='zzc1';
$password='zzc1';
$stmt->bindValue(1,$username);
$stmt->bindValue(2,$password);
$stmt->execute();
echo $stmt->rowCount();
}catch(PDOException $e){
echo $e->getMessage();
}
?>

五、bindColumn()方法绑定参数

<?php
header('content-type:text/html;charset=utf-8');
try
{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='SELECT username,password,email FROM user';
$stmt=$pdo->prepare($sql);
$stmt->execute();
echo '结果集中的列数一共有：'.$stmt->columnCount();
echo '<hr/>';
print_r($stmt->getColumnMeta(0));
echo '<hr/>';
$stmt->bindColumn(1, $username);
$stmt->bindColumn(2,$password);
$stmt->bindColumn(3, $email);
while($stmt->fetch(PDO::FETCH_BOUND)){
echo '用户名：'.$username.'-密码：'.$password.'-邮箱：'.$email.'<hr/>';
}
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>

六、fetchColumn()方法从结果集中返回一列

<?php
header('content-type:text/html;charset=utf-8');
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='SELECT username,password,email FROM user';
$stmt=$pdo->query($sql);
echo $stmt->fetchColumn(0),'<br/>';
echo $stmt->fetchColumn(1),'<br/>';
echo $stmt->fetchColumn(2);
}catch(PDOException $e){
echo $e->getMessage();
}
?>

Warning：使用PDOStatement：：fetchColumn()取回数据，则没办法返回同一行的另外一列。

七、debugDumpParams()方法打印一条预处理语句

<?php

try{

$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='INSERT user(username,password,email) VALUES(?,?,?)';
$stmt=$pdo->prepare($sql);
$stmt->bindParam(1, $username,PDO::PARAM_STR);
$stmt->bindParam(2,$password,PDO::PARAM_STR);
$stmt->bindParam(3,$email,PDO::PARAM_STR);
$username='testParam';
$password='testParam';
$email='testParam@qq.com';
$stmt->execute();
$stmt->debugDumpParams();
}catch(PDOException $e){
echo $e->getMessage();
}
?>

<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='SELECT * FROM user WHERE username=:username AND password=:password';
$stmt=$pdo->prepare($sql);
$stmt->bindParam(':username', $username,PDO::PARAM_STR);
$stmt->bindParam(':password',$password,PDO::PARAM_STR);
$username='testParam';
$password='testParam';
$stmt->execute();
$stmt->debugDumpParams();
}catch(PDOException $e){
echo $e->getMessage();
}
?>

八、nextRowset()方法将结果集中指针下移

“test1.sql”

CREATE TABLE IF NOT EXISTS userAccount(
id TINYINT UNSIGNED AUTO_INCREMENT KEY,
username VARCHAR(20) NOT NULL UNIQUE,
money DECIMAL(10,2)
)ENGINE=INNODB;

INSERT userAccount(username,money) VALUES('zzc',10000),('jason',5000);

DELIMITER //
CREATE PROCEDURE test1()
BEGIN
SELECT * FROM user;
SELECT * FROM userAccount;
END
//
DELIMITER ;

CREATE TABLE test2(

);

<?php
try{
$pdo=new PDO('mysql:host=localhost;dbname=my_db','root','');
$sql='call test1()';
$stmt=$pdo->query($sql);
$rowset=$stmt->fetchAll(PDO::FETCH_ASSOC);
print_r($rowset);
echo '<hr color="red"/>';
$stmt->nextRowset();
$rowset=$stmt->fetchAll(PDO::FETCH_ASSOC);
print_r($rowset);
}catch(PDOException $e){
echo $e->getMessage();
}
?>