zoukankan      html  css  js  c++  java
  • pdo 事务功能和防止sql注入功能

    PDO
    1.访问不同的数据库
    2.自带事务功能
    3.防止SQL注入

    这下面是访问和自带的事务功能展示,

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>无标题文档</title>
    </head>
    
    <body>
    
    <?php
    
    /*//1.造对象
    $dsn = "mysql:dbname=mydb;host=localhost";
    $pdo = new PDO($dsn,"root","123");
    
    //2.写SQL语句
    $sql = "update nation set name='兽族' where code='n013'";
    
    //3.执行SQL语句
    //$r = $pdo->query($sql);
    $r = $pdo->exec($sql);*/
    
    //事务功能
    //造对象
    $dsn = "mysql:dbname=mydb;host=localhost";
    $pdo = new PDO($dsn,"root","123");
    
    //设置异常模式
    $pdo->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
    
    
    //写SQL语句
    $sql1 = "insert into nation values('n016','人族')";
    $sql2 = "insert into nation values('n017','不死族')";
    
    //执行两条SQL语句
    try
    {
        //启动事务
        $pdo->beginTransaction();
        
        $pdo->exec($sql1);
        $pdo->exec($sql2);
        
        //提交事务
        $pdo->commit();
    }
    catch(PDOException $e)
    {
        //$e->getMessage();
        //回滚
        $pdo->rollBack();
    }
    
    
    
    
    
    
    
    
    ?>
    
    
    </body>
    </html>

    这下面是防止sql注入展示第一种方法 问号占位

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>无标题文档</title>
    </head>
    
    <body>
    <?php
    
    //造对象
    $dsn = "mysql:dbname=mydb;host=localhost";
    $pdo = new PDO($dsn,"root","123");
    
    //写SQL语句,预处理语句
    $sql = "insert into nation values(?,?)";
    
    //准备SQL语句,返回statement对象
    $st = $pdo->prepare($sql);
    
    //绑定参数
    /*$st->bindParam(1,$code);
    $st->bindParam(2,$name);
    
    $code="n022";
    $name="矮人族";*/
    
    $attr = array("n023","魔族");  //直接扔就可以了!
    
    //提交执行,不用给SQL语句了,已经传过去了
    var_dump($st->execute($attr));
    
    
    //预处理语句里面用?占位的,给数组的时候要给索引数组
    
    
    
    
    
    
    ?>
    </body>
    </html>

    另一种方法名称占位

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>无标题文档</title>
    </head>
    
    <body>
    
    <?php
    
    //造对象
    $dsn = "mysql:dbname=mydb;host=localhost";
    $pdo = new PDO($dsn,"root","123");
    
    //写SQL语句,预处理语句,使用name占位
    $sql = "insert into nation values(:code,:name)";  //注意用前面加冒号!!
    
    //准备执行
    $st = $pdo->prepare($sql);
    
    //绑定参数
    /*$st->bindParam(":code",$code,PDO::PARAM_STR);
    $st->bindParam(":name",$name,PDO::PARAM_STR);
    
    $code="n024";
    $name="狼族";*/
    
    $attr = array("code"=>"n025","name"=>"虫族");
    
    //执行
    $st->execute($attr);
    
    
    
    ?>
    </body>
    </html>

    最后是名称占位的好处

    <?php
    //造对象
    $dsn = "mysql:dbname=mydb;host=localhost";
    $pdo = new PDO($dsn,"root","123");
    
    //写SQL语句,预处理语句,使用name占位
    $sql = "insert into nation values(:code,:name)";
    
    //准备执行
    $st = $pdo->prepare($sql);
    
    //执行
    $st->execute($_POST);   这个post 和提交的一样直接就赋值了!

    最后是查询!!

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>无标题文档</title>
    </head>
    
    <body>
    <?php
    
    //造对象
    $dsn = "mysql:dbname=mydb;host=localhost";
    $pdo = new PDO($dsn,"root","123");
    
    //写SQL语句,预处理语句
    $sql = "select * from nation";
    
    //准备执行
    $st = $pdo->prepare($sql);
    
    //执行
    $st->execute();
    
    //读数据
    var_dump($st->fetchAll(PDO::FETCH_ASSOC));   
    
    
    ?>
    </body>
    </html>
  • 相关阅读:
    一个简单的knockout.js 和easyui的绑定
    knockoutjs + easyui.treegrid 可编辑的自定义绑定插件
    Knockout自定义绑定my97datepicker
    去除小数后多余的0
    Windows Azure Web Site (15) 取消Azure Web Site默认的IIS ARR
    Azure ARM (1) UI初探
    Azure Redis Cache (3) 创建和使用P级别的Redis Cache
    Windows Azure HandBook (7) 基于Azure Web App的企业官网改造
    Windows Azure Storage (23) 计算Azure VHD实际使用容量
    Windows Azure Virtual Network (11) 创建VNet-to-VNet的连接
  • 原文地址:https://www.cnblogs.com/sq45711478/p/6040639.html
Copyright © 2011-2022 走看看