问题描述
我正在尝试将可变数量的值绑定到准备好的语句的IN ()条件中,并在稍后的查询中绑定更多的值,但是出现错误:
我的代码如下:
$ccarr=explode(",",$cc);
$in = str_repeat('?,',count($ccarr) - 1) . '?';
$op_r=$tfvarr[2];
$budg_et=$tfvarr[1];
$budg_et1=$tfvarr111111;
$sqldesk="SELECT subsubcatid_parent,plink,deskid,sum(itprice) as totprice FROM desktop_items a,items_table b,obsubsubcat c where subsubcatid_parent IN ($in) and a.itno = b.itno and a.subsubcatid_parent=c.subsubcatid group by subsubcatid_parent,deskid having totprice > ? && totprice ? ?" ;
if($stmtdesk = $conn->prepare($sqldesk))
{
$types = str_repeat('i',count($ccarr));
$types .= 'isi';
$stmtdesk->bind_param($types,...$ccarr,$budg_et1,$op_r,$budg_et);
$stmtdesk->execute();
$stmtdesk->store_result();
$stmtdesk->bind_result($subsubcatid_parentdesk,$plinkdesk,$deskiddesk,$totpricedesk);
}
如何绑定所有值而不会出现拆包错误?
解决方法
我建议您将其他值推入$ccarr数组中,以便只需要在$ccarr内使用bind_param()。
看起来$op_r是“运算符”而不是值。因此,这不应受到约束。 Listen to Victor。应该根据硬编码值的白名单对运算符值进行验证,然后将其直接插入查询字符串中。
$ccarr = explode(",",$cc);
$in = str_repeat('?,',count($ccarr) - 1) . '?';
$op_r = $tfvarr[2];
$budg_et = $tfvarr[1];
$budg_et1 = $tfvarr111111;
array_push($ccarr,$budg_et1,$budg_et);
$types = str_repeat('i',count($ccarr));
$sqldesk = "SELECT subsubcatid_parent,plink,deskid,SUM(itprice) AS totprice
FROM desktop_items a
JOIN items_table b ON a.itno = b.itno
JOIN obsubsubcat c ON a.subsubcatid_parent = c.subsubcatid
WHERE subsubcatid_parent IN ($in)
GROUP BY subsubcatid_parent,deskid
HAVING totprice > ? AND totprice {$op_r} ?";
$stmtdesk = $conn->prepare($sqldesk);
$stmtdesk->bind_param($types,...$ccarr);
$stmtdesk->execute();
$stmtdesk->store_result();
$stmtdesk->bind_result($subsubcatid_parentdesk,$plinkdesk,$deskiddesk,$totpricedesk);
此外,我不建议使用老式的逗号-JOIN。显式声明JOIN更加清晰和现代,它使用ON表达式来描述联接关系。
最后,MySQL中的&&应该是AND。始终使用大写字母在您的sql字符串中编写MySQL关键字。