prepared-statement

问题 I am learning Mysqli ( come from Mysql ). I as far as I understood, the advantage of using prepared statements is to prevent SQL injections. I managed to build queries with prepared statments using SELECT and INSERT. But to achieve the equivalent of select count() , and I'm banging my head against the wall. The PHP manual gives: if ($result = mysqli_query($link, "SELECT Code, Name FROM Country ORDER BY Name")) { /* determine number of rows result set */ $row_cnt = mysqli_num_rows($result);

问题 I'm trying to set up a prepared statement based on this example I found on the web. I just want to protect against sql injections in the grade= and username=, but the statement isn't executing. MYSQL_STMT *stmt; MYSQL_BIND bind[2]; char* usrname = &uname[0]; //uname supplied by user char* choi = choice; //choice supplied by user stmt = mysql_stmt_init(connect); char* statement = "UPDATE grades SET grade='?' WHERE username='?'"; mysql_stmt_prepare(stmt, statement, strlen(statement)); memset

问题 I am having some problems and I'm sure it's something stupid. So I have a query like SELECT name, id, xyz FROM table ORDER BY ? then later down the road setting the ? doing a ps.setString(1, "xyz"); I am outputting the query and the value of xyz in the console. When I loop through the ResultSet returned from the PreparedStatement the values are not in the correct order. They are in the returned order as if I had left the ORDER BY clause off. When I copy/paste the query and the value into TOAD

问题 This is my first attempt at a prepared statement and instead of returning a single text element, I'm getting a number instead. The number 1 to be specific. Somebody said its got something to do with counting the records but I'm not sure how to turn it off. function primary_include2($url_keyword) { $link = select_db(); $query = "select file_path FROM primary_includes WHERE url_label=?"; $stmt = mysqli_prepare($link, $query); mysqli_stmt_bind_param($stmt, 's', $url_keyword); if ($result =

问题 Can the MySQL Query Browser set parameters of a parameterized query? If so, how? I tried populating the Parameter Browser tab but it doesn't seem to actually set parameters when I execute the query. I searched for quite a while in Google (e.g. mySQL Query Browser parameterized) but had no luck finding the answer. I found this thread on the mySQL forums-- sounds like I'm not the only one scratching my head here. I'm using Version 5.1 on Windows Server 2008 (client and server), if that matters.

问题 The following method, when called with something like String val = getCell("SELECT col FROM table WHERE LIKE(other_col,'?')", new String[]{"value"}); (this is SQLite), throws a java.lang.ArrayIndexOutOfBoundsException: 0 at org.sqlite.PrepStmt.batch(PrepStmt.java:131) . Can anyone take pity on my poor bumbling here and help me with why ? /** * Get a string representation of the first cell of the first row returned * by <code>sql</code>. * * @param sql The SQL SELECT query, that may contain

问题 I have this really simple PHP code: $mysqli = new mysqli('localhost', 'xxx', 'xxxxx', 'xxx'); $query = "SELECT * FROM questions WHERE id = ?"; $stmt = $mysqli->prepare($query); $stmt->bind_param('d', $_GET['qid']); $stmt->execute(); $stmt->bind_result($id, $content, $correct_ans, $lol); $stmt->fetch(); //do sth with the data $query = "SELECT * FROM answers WHERE question_id = ?"; $stmt = $mysqli->prepare($query); $stmt->bind_param('d', $_GET['qid']); $stmt->execute(); $stmt->bind_result($id,

问题 I want to use prepared statements in my lua scripts. As mentioned in my previous post, people recommend using lua-dbi . Unfortunately there is little documentation available. I just need a basic script that connects to the database with credentials, and use prepared statements (prefered with a bind function to names in the query). Anyone experienced with this? 回答1: You can find it on the project's wiki pages: Establishing connection: https://code.google.com/p/luadbi/wiki/DBDDriverConnection

问题 I'm trying to learn how to use PDO and I need help understanding something. I keep reading that one of the biggest benefits of using PDO is that a it is much more efficient than mysql_* when making similar queries over and over again. I need to make a query that is exactly the same, except that the bound parameters change each time (but the structure of the query is the same). So, here's my question: Should I call PDO::prepare() once and then inside my loop call execute() (passing the

问题 I have a java program that needs to iterate through a HashMap to get a parameters that are then used to query the MySQL database. The code is as follows: Iterator<Entry<String, Double>>it = ws.entrySet().iterator(); Connection con = null; while(it.hasNext()) { Entry<String, Double>pairs = it.next(); PreparedStatement ps = con.prepareStatement("select doc_freq from lookup where word=?"); ps.setString(1, pairs.getKey()); ResultSet rs = ps.executeQuery(); } The process of repeatedly accessing