目前,我正在使用此代码,它可以正常工作,因为不用说,只要我将$dateTo
更改为:dateTo
时,查询就会停止工作,任何建议都将是不错的选择。
$from = $_POST['from'];
$dateTo = $_POST['dateTo'];
$hourTo = $_POST['hoursTo'];
$hourFrom = $_POST['hoursFrom'];
$minuteTo = $_POST['minutesTo'];
$minuteFrom = $_POST['minutesFrom'];
$sql = "SELECT sum(countAudit) AS AMZL, sum(countAudit) AS OTHER, dateEntered, count(sort_id) AS Audited, sum(error) AS error, timeEntered
FROM audits WHERE (dateEntered BETWEEN ':from' AND '$dateTo')";
$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);
$query->execute();
foreach($db->query($sql) as $row){
echo $row['AMZL'] . "<br>";
}
最佳答案
正确使用准备好的语句,无需引用命名的占位符。
另外,不要直接在查询语句中插入变量:
AND '$dateTo')";
它违反了准备好的陈述的目的。
并且不要混淆
->query()
和->execute()
。只需直接使用->execute()
:$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
// turn on error reporting
$from = $_POST['from'];
$dateTo = $_POST['dateTo'];
$hourTo = $_POST['hoursTo'];
$hourFrom = $_POST['hoursFrom'];
$minuteTo = $_POST['minutesTo'];
$minuteFrom = $_POST['minutesFrom'];
$sql = "
SELECT
sum(countAudit) AS AMZL,
dateEntered,
count(sort_id) AS Audited,
um(error) AS error,
timeEntered
FROM audits
WHERE (dateEntered BETWEEN :from AND :dateTo)
"; // ^remove quotes^
$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);
$query->execute(); // execute
$results = $query->fetchAll(PDO::FETCH_ASSOC);
// don't forget to fetch the results
foreach($results as $row){
echo $row['AMZL'] . "<br>";
}
关于php - PDO表单输入,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/36169413/