Prepared statement returns no rows
简要版本(不带尝试和捕获):
1 2 3 4 5 6 7 | $dbConnection = new PDO("mysql:host=$serverName;dbname=$dbName", $userName, $password, $dbOptions); $dbStatement = $dbConnection->prepare('SELECT * FROM bin_content WHERE LotId=":lot";'); dbStatement->bindParam(':' . $key, $filter->$key); // $filter->lot contains"A32" and $key="lot", // so I'm assuming"A32" will be filled into the statement $dbStatement->execute(); // this is actually in a try/catch, and no exceptions are caught here $row = $dbStatement->fetch(); // this returns false |
如上面的代码中所述,
1 | SELECT * FROM bin_content WHERE LotId="A32"; |
我绑定
使用准备好的语句时,请勿引用您希望稍后安全地"插入"到语句中的内容。
如果您查询此
1 | "SELECT * FROM table WHERE user = 'some-user'" |
它会从字面上查找具有该名称的用户,这就是为什么在查询数据库时会从字面上查找用户":lot"的原因。
改为使用
1 2 3 4 5 | "SELECT * FROM table WHERE user = :user_name" bindParam->(':user_name', $var); ->execute (); |
现在它将安全地将$ var注入到准备好的语句中,然后您可以执行它