|
搜索了下可以像这样指定MYSQL的参数类型,
$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
//-----or
$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $mysqli -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();
看到一老外像这样写,,这个,看起来怪怪的
<?php
$id = mysql_real_escape_string( $_GET['id'] );
$q = "SELECT * FROM `table` WHERE `id` = $id";
?>
表23-1 bind_param第一个参数字符描述
字符种类
|
代表的数据类型
|
I
|
integer
|
D
|
double
|
S
|
string
|
B
|
blob
|
|
|
|