问题
I am trying to understand prepared statements using PHP and mysqli. I tried to read on some tutorials, manual and this one: Bind_Param in PHP, but I have not yet found any satisfying answer.
Someone wrote in answer as:
When you prepare an SQL statement, you can insert a placeholder (?) where a column value would go, then use bind_param() to safely substitute that placeholder for the real column's value. This prevents any possibility of an SQL injection.
I found some code in tutorials like this:
$stmt = $con->prepare("INSERT INTO user_accounts VALUES (?,?,?,?)");
$stmt->bind_param('xyz', $sample1, $sample2, $sample3, $sample4); // bind to the parameter
I understood that we write '?' instead of our variable, so that the actual values can be given later. MySQL prepares a plan for query execution, and then variables are given as parameters.
What does this line of code mean?
bind_param('xyz', $sample1, $sample2, $sample3, $sample4);
Four variables are given with something 'xyz' as parameters... What exactly does parameter 'xyz' mean here? Is it necessary to write and will it later be used? I didn't find it used elsewhere.
I only want an answer for the first parameter:
回答1:
I think you understand the concept of binding parameters, so I won't go into that. Nonetheless, you might want to review this for more background information.
The mysqli API for binding parameters is arguably not very elegant. It looks like this:
bool mysqli_stmt::bind_param ( string $types , mixed &$var1 [, mixed &$... ] )
This means that the first argument to this function, $types, gives mysqli the information what types your parameters are/what it should treat them as. Following that are the individual parameters.
The $types argument is a string of individual characters, with each character denoting a type. There are four possible types: i, d, s and b, which stand for integer, double, string and binary. So if you wanted to bind two integers and one string, in that order, the $type parameter needs to be iis. You then follow that by the actual values:
$int1 = 42;
$int2 = 11;
$str = 'foo';
$stmt->bind_param('iis', $int1, $int2, $str);
回答2:
The first parameter specifies the type of columns' data. For example if we have four columns and all are of the string type, we write:
$stmt->bind_param('ssss', $sample1, $sample2, $sample3, $sample4);
If one column is of the integer type, we use i instead of s.For example, if the third column is integer, we write:
$stmt->bind_param('ssis', $sample1, $sample2, $sample3, $sample4);
to specify that the first and second columns are string (s) and the third is integer (i) and the forth is string (s).
For the first parameter of the bind_param() function, we use s for string types, i stands for integer, d is for double type and b is for blob.
So for your case, sssd means that the fourth column is double and the rest are string
来源:https://stackoverflow.com/questions/26826489/what-exactly-does-first-parameter-in-bind-param-do