使用准备好的语句插入选择 MySQL
问题描述:
我想知道我是否需要这样做.
I am wondering if I need to do this.
为了更安全,所有插入数据库的东西都是从用户发布的带有特定子句的另一个表中选择的.
To make it more secure, all the things inserted into database is selected from another table with specific clause that is posted from the user.
我使用 id 作为身份:
$identity = $_POST['id'];
$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
VALUES (?,?,?)");
//This is what I use to do
$stmt >bind_param ("sss", $valua, $valueb, $valuec);
//But now I want to that like this
$stmt >bind_param ("sss", SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = $identity);
$list->execute();
$list->close();
有可能吗?这样做的正确方法是什么?
Is it possible? And how is the correct way to do this?
答
您不需要绑定其他表中的值.您只需要为用户提供的值准备那些.您可以安全地使用现有值.
You dont need to bind the values from your other table. You just need to prepare those for the values that the user provides. You can safely use the existing values.
$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = ?");
$stmt >bind_param ("i", $identity);
$stmt->execute();