问题描述
这是我的代码的快照:
$fetchPictures = $PDO->prepare("SELECT *
FROM pictures
WHERE album = :albumId
ORDER BY id ASC
LIMIT :skip, :max");
$fetchPictures->bindValue(':albumId', $_GET['albumid'], PDO::PARAM_INT);
if(isset($_GET['skip'])) {
$fetchPictures->bindValue(':skip', trim($_GET['skip']), PDO::PARAM_INT);
} else {
$fetchPictures->bindValue(':skip', 0, PDO::PARAM_INT);
}
$fetchPictures->bindValue(':max', $max, PDO::PARAM_INT);
$fetchPictures->execute() or die(print_r($fetchPictures->errorInfo()));
$pictures = $fetchPictures->fetchAll(PDO::FETCH_ASSOC);
我明白了
您的 SQL 语法有错误;检查对应的手册您的 MySQL 服务器版本在 ''15', 15' 附近使用的正确语法第 1 行
似乎 PDO 在 SQL 代码的 LIMIT 部分为我的变量添加了单引号.我查了一下我发现了这个我认为相关的错误:http://bugs.php.net/bug.php?id=44639
It seems that PDO is adding single quotes to my variables in the LIMIT part of the SQL code. I looked it up I found this bug which I think is related:http://bugs.php.net/bug.php?id=44639
这就是我在看的吗?这个bug从2008年4月就被打开了!在此期间我们应该做什么?
Is that what I'm looking at? This bug has been opened since April 2008!What are we supposed to do in the meantime?
我需要建立一些分页,并且需要在发送 sql 语句之前确保数据是干净的、sql 注入安全的.
I need to build some pagination, and need to make sure the data is clean, sql injection-safe, before sending the sql statement.
推荐答案
我记得以前有过这个问题.在将值传递给绑定函数之前将其转换为整数.我认为这可以解决问题.
I remember having this problem before. Cast the value to an integer before passing it to the bind function. I think this solves it.
$fetchPictures->bindValue(':skip', (int) trim($_GET['skip']), PDO::PARAM_INT);
这篇关于如何在 LIMIT 子句中应用 bindValue 方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!