通过PDO进行参数化的SELECT查询?

本文介绍了通过PDO进行参数化的SELECT查询?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

可能重复: 如何防止SQL注入?

Possible Duplicate: How to prevent SQL injection?

我试图弄清楚如何通过PDO进行SELECT来进行参数化查询，现在我有了以下代码:

I'm trying to figure out how to do a parameterized query via PDO doing a SELECT, and right now I've got this code:

function user_login($username, $password) { $conn = connection_getConnection(); $stmt = $conn->prepare("SELECT `password` FROM `users` WHERE `username` = :username"); $row = $stmt-> #WHAT DO I DO HERE? if (empty($row)) { } }

所以，我在迷路的那条线上发表了评论.请从这里帮助我.

So, I placed a comment on the line I'm kind of lost on. Please help me out from here.

谢谢！

推荐答案

PHP手册有一些很好的例子.

为您:

function user_login($username, $password) { $conn = connection_getConnection(); $sql = "SELECT `password` FROM `users` WHERE `username` = :username"; $stmt = $conn->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)); $query = $stmt->execute(array(':username' => $username)); $rows = $query->fetchAll(); if (empty($rows)) { } }