<?php function bindParam(&$sql, $location, $var, $type) { switch ($type) { case 'STRING': $var = addslashes($var); $var = "'" . $var . "'"; break; case 'INT': case 'INTEGER': $var = intval($var); break; case 'BOOL': $var = boolval($var); break; } for ($i = 1, $pos = 0; $i <= $location; $i++) { $pos = strpos($sql, ' ?', $pos + 1); } } $uid = 10086; $psw = 'pwfdsd'; $sql = "select * from table where uid= ? and password= ?"; bindParam($sql, 1, $uid, 'INT'); bindParam($sql, 2, $psw, 'STRING'); echo $sql;
<?php /** * Created by PhpStorm. * User: Administrator * Date: 2015/12/28 * Time: 16:36 */ function bindParam(&$sql, $location, $var, $type) { switch ($type) { default: case 'STRING': $var = addslashes($var); $var = "'" . $var . "'"; break; case 'INTEGER': case 'INT': $var = (int) $var; } for ($i = 1, $pos = 0; $i <= $location; $i++) { $pos = strpos($sql, "? ", $pos + 1); } $sql = substr($sql, 0, $pos) . $var . substr($sql, $pos + 1); } $uid = 10086; $pwd = "pwd"; $sql = "SELECT * FROM table WHERE uid = ? AND pwd = ? "; bindParam($sql, 1, $uid, 'INT'); bindParam($sql, 1, $pwd, 'STRING'); echo $sql;
// what text to show the user while picking a username, // and bases its decision on whether or not the desired // username already exists in the database. Hence, it // queries the database, and requires 'konfunctions.php'. require_once 'konfunctions.php'; // Only execute something if $_POST['user'] is not empty. if (isset($_POST['user'])) { // Remove any security hazards from $_POST['user'] $user = sanitizeString($_POST['user']); /* BEGIN Query 'users' database for a */ /* record that contains $_POST['user]' */ // Prepare the query statement $queryUsers = "SELECT * FROM users WHERE user='******'"; // try to query the database try { $query = $konnection->prepare($queryUsers); $query = bindParam(':user', $user, PDO::PARAM_INT); $query->execute(); $result = $query->fetch(PDO::FETCH_NUM); } catch (PDOException $e) { echo $sql . "<br>" . $e - getMessage(); } /* END Query 'users' database */ // Check if the query returned any results // and return the appropriate response message if ($result[0]['user'] != "") { echo "<font color=red> ←\n\t\t Sorry, already taken</font>"; } else { echo "<font color=green> ←\n\t\t Username available</font>"; } }
/** * 绑定参数列表 */ function bindParams(&$sql, $array) { $times = 0; foreach ($array as $key => $value) { bindParam($sql, $key + 1, $value, $times); } }
} $pos = 0; if (substr_count($sql, '?') < $total) { for ($i = 1; $i <= $location - 1; $i++) { $pos = strpos($sql, '?', $pos + 1); } $GLOBALS['total'] = substr_count($sql, '?'); } else { for ($i = 1; $i <= $location; $i++) { $pos = strpos($sql, '?', $pos + 1); } } // 替换问号 return $sql = substr($sql, 0, $pos) . $var . substr($sql, $pos + 1); } $dsn = "mysql:host=localhost;dbname=test"; $user = "******"; $pwd = ""; $pdo = new PDO($dsn, $user, $pwd); $pdo->exec("SET NAMES UTF8"); $uid = 10086; $pwd = "pwd"; $uname = "yaohuang"; $sql = "SELECT*FROM table WHERE uid=? AND uname=? AND pwd=?"; $total = substr_count($sql, '?'); echo bindParam($sql, 1, $uid, 'INT', $total); echo '<br>'; echo bindParam($sql, 2, $uname, 'STRING', $total); echo '<br>'; echo bindParam($sql, 3, $pwd, 'STRING', $total - 1);