pdo 事务功能和防止sql注入功能

PDO
1.访问不同的数据库
2.自带事务功能
3.防止SQL注入

这下面是访问和自带的事务功能展示，

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>无标题文档</title>
</head>

<body>

<?php

/*//1.造对象
$dsn = "mysql:dbname=mydb;host=localhost";
$pdo = new PDO($dsn,"root","123");

//2.写SQL语句
$sql = "update nation set name='兽族' where code='n013'";

//3.执行SQL语句
//$r = $pdo->query($sql);
$r = $pdo->exec($sql);*/

//事务功能
//造对象
$dsn = "mysql:dbname=mydb;host=localhost";
$pdo = new PDO($dsn,"root","123");

//设置异常模式
$pdo->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);


//写SQL语句
$sql1 = "insert into nation values('n016','人族')";
$sql2 = "insert into nation values('n017','不死族')";

//执行两条SQL语句
try
{
    //启动事务
    $pdo->beginTransaction();
    
    $pdo->exec($sql1);
    $pdo->exec($sql2);
    
    //提交事务
    $pdo->commit();
}
catch(PDOException $e)
{
    //$e->getMessage();
    //回滚
    $pdo->rollBack();
}








?>


</body>
</html>

这下面是防止sql注入展示第一种方法问号占位

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>无标题文档</title>
</head>

<body>
<?php

//造对象
$dsn = "mysql:dbname=mydb;host=localhost";
$pdo = new PDO($dsn,"root","123");

//写SQL语句,预处理语句
$sql = "insert into nation values(?,?)";

//准备SQL语句,返回statement对象
$st = $pdo->prepare($sql);

//绑定参数
/*$st->bindParam(1,$code);
$st->bindParam(2,$name);

$code="n022";
$name="矮人族";*/

$attr = array("n023","魔族");  //直接扔就可以了！

//提交执行,不用给SQL语句了，已经传过去了
var_dump($st->execute($attr));


//预处理语句里面用?占位的，给数组的时候要给索引数组






?>
</body>
</html>

另一种方法名称占位

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>无标题文档</title>
</head>

<body>

<?php

//造对象
$dsn = "mysql:dbname=mydb;host=localhost";
$pdo = new PDO($dsn,"root","123");

//写SQL语句,预处理语句，使用name占位
$sql = "insert into nation values(:code,:name)";  //注意用前面加冒号！！

//准备执行
$st = $pdo->prepare($sql);

//绑定参数
/*$st->bindParam(":code",$code,PDO::PARAM_STR);
$st->bindParam(":name",$name,PDO::PARAM_STR);

$code="n024";
$name="狼族";*/

$attr = array("code"=>"n025","name"=>"虫族");

//执行
$st->execute($attr);



?>
</body>
</html>

最后是名称占位的好处

<?php
//造对象
$dsn = "mysql:dbname=mydb;host=localhost";
$pdo = new PDO($dsn,"root","123");

//写SQL语句,预处理语句，使用name占位
$sql = "insert into nation values(:code,:name)";

//准备执行
$st = $pdo->prepare($sql);

//执行
$st->execute($_POST);   这个post 和提交的一样直接就赋值了！

最后是查询！！

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>无标题文档</title>
</head>

<body>
<?php

//造对象
$dsn = "mysql:dbname=mydb;host=localhost";
$pdo = new PDO($dsn,"root","123");

//写SQL语句,预处理语句
$sql = "select * from nation";

//准备执行
$st = $pdo->prepare($sql);

//执行
$st->execute();

//读数据
var_dump($st->fetchAll(PDO::FETCH_ASSOC));   


?>
</body>
</html>

posted @ 2016-11-07 21:01 夜雨声烦丶阅读(1226) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

pdo 事务功能和防止sql注入功能

公告