开发者

What is the correct and easiest way to do prepared statements with PHP's mysqli?

I have been using the old mysql api in PHP for a long time and want to start using mysqli for both speed and security with a new project I'm working on. I've looked through the manual and read several tutorials, but I'm finding a lot of conflicting and somewhat confusing information on how to do prepared statements in mysql.

Is there anything in this code that doesn't need to be there, and is there anything that is missing? Also, is this the easiest way to do something simple like this (seems somewhat involved for such a simple task)?

Procedural:

// build prepared statement
$query = mysqli_prepare($link, "SELECT email FROM users WHERE id = ?");

// bind parameters to开发者_开发百科 statement
mysqli_stmt_bind_param($query, 's', $_GET['id']);

// execute statement
mysqli_stmt_execute($query);

// bind the variables to the result
mysqli_stmt_bind_result($query, $email);

// print the results
while (mysqli_stmt_fetch($query)) {
    echo $email;
}

// close the statement
mysqli_stmt_close($query);

// close connection
mysqli_close($link);

Object-Oriented:

// build prepared statement
$query = $link->prepare("SELECT email FROM users WHERE id = ?");

// bind parameters to statement
$query->bind_param('s', $_GET['id']);

// execute statement
$query->execute();

// bind the variables to the result
$query->bind_result($email);

// print the results
while ($query->fetch()) {
    echo $email;
}

// close the statement
$query->close();

// close connection
$link->close();


Here's the guts of a semi-self-explanatory class that encapsulates mysqli, including prepared statements, which are quite tricky. It's pretty well tested - I've been using it for a year now without change.

It only implements prepared statements to Execute SQL commands because they change data and often require nasty encoding tricks otherwise. If you want SELECTs, it's left as an exercise for the reader - it's easier. :)

<?php

class Db
{
    var $_mysqli;
    var $_result;
    var $_error_msg;

    public function __construct($server, $user, $password, $name)
    {
        $this->_mysqli = new mysqli("p:".$server, $user,
                                    $password, $name);
        if($this->_mysqli->connect_errno) 
        {
            $this->_error_msg = $this->_mysqli->connect_error;
        }
    }

    public function __destruct()
    {
    }

    private function sql_select($sql)
    {
        $this->_mysqli->query("SET NAMES 'utf8'"); // a little help for UTF8 io
        $this->_result = $this->_mysqli->query($sql);
    }

    private function sql_close()
    {
        $this->_mysqli->close();
    }


    public function ErrorMessage()
    {
        return $this->_error_msg;
    }

    public function SqlRows($sql)
    {
        $rows = array();
        $result = $this->sql_select($sql);
        if($this->IsError())
        {
            return $rows;
        }
        while($row = $result->fetch_array()) 
        {
            $rows[] = $row;
        }
        $result->free();
        return $rows;
    }

    public function SqlObjects($sql)
    {
        $objects = array();
        $result = $this->sql_select($sql);
        while($object = $this->_result->fetch_object()) 
        {
            $objects[] = $object;
        }
        $result->free();
        return $objects;
    }

    public function SqlOneObject($sql)
    {

        $result = $this->sql_select($sql);
        $obj = $result->fetch_object();
        $result->free();
        return $obj;
    }

    public function SqlOneRow($sql)
    {
        $result = $this->sql_select($sql);
        if(! is_object($result))
            return null;
        if($result->num_rows > 0)
            $row = $result->fetch_array();
        else
            $row = null;
        $result->free();
        return $row;
    }

    public function SqlOneValue($sql)
    {
        $result = $this->sql_select($sql);
        if(!empty($result))
        {
            $row = $result->fetch_array();
        }
        $result->free();
        return empty($row) ? null : $row[0] ;
    }

    // returns number of affected rows
    public function SqlExecute($sql)
    {
        $this->_result = $this->_mysqli->query($sql);
        return $this->affected_rows();
    }

    private function affected_rows()
    {
        return $this->_mysqli->affected_rows;
    }

    private function IsError()
    {
        if(empty($this->_mysqli))
            return false;
        return !empty($this->_mysqli->error);
    }

    // arguments are sql and an array of 
    // argument references (not values).
    public function SqlExecutePS($sql, $args)
    {
        $stmt = $this->_mysqli->prepare($sql);

        // make the type-string
        $typestr = make_typestring($args);
        $params = array($typestr);
        $params = array_merge($params, $args);

        call_user_func_array(array($stmt, 'bind_param'), $params);
        $stmt->execute();

        $ret = $this->affected_rows();
        $stmt->close();
        return $ret;
    }

    public function SqlExists($sql)
    {
        $result = $this->SqlOneRow($sql);
        return !empty($result[0]);
    }


    function make_typestring($args)
    {
        assert(is_array($args));
        $ret = "";
        foreach($args as $arg)
        {
            switch(gettype($arg))
            {
                case "boolean":
                case "integer":
                    $ret .= "i";
                    break;
                case "double":
                    $ret .= "d";
                    break;
                case "string":
                    $ret .= "s";
                    break;
                case "array":
                case "object":
                case "resource":
                case "NULL":
                default:
                    // call it a blob and hope
                    // you know what you're doing.
                    $ret .= "b";
                    break;
            }
        }
        return $ret;
    }
} 

?>
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜