我有一个循环查询来插入MySQL数据库它完美地做我需要它做的事情,因为它需要所有用户输入数组,然后循环它们并将每个输入到数据库中自己的行。
$sql_insert_race_history = "INSERT INTO inf_race_history
(`inf_id`,`race_history`, `results`)
VALUES ";
if ($vracehistory != '') {
foreach ($vracehistory as $kay => $value) {
// $sql .= '' | $sql = $sql . '';
$sql_insert_race_history .= "('$inserted_id','{$value}','{$results[$kay]}'),";
}
} else {
$vracehistory = '';
}
// remove last `,` into query;
$sql_insert_race_history = rtrim($sql_insert_race_history, ',');
$countRow = count($_POST['racehist']);
//INSERT INTO THE DATABASE VIA QUERY
$results_racehistory = mysqli_query($vconn, $sql_insert_race_history);
这段代码工作并插入一切,因为我需要它但是我被告知它很容易受到SQL注入攻击,所以我一直试图通过使用预处理语句来防止每个版本我尝试只到目前为止循环不工作,它只上传数组中的最后一项
$stmtrace = $conn->prepare("INSERT INTO inf_race_history
(`inf_id`,`race_history`, `results`)
VALUES (?,?,?)");
if ($vracehistory != '') {
foreach ($vracehistory as $kay => $value) {
$stmtrace->bind_param("sss", $inserted_id,$value,$results[$kay]);
}
} else {
$vracehistory = '';
}
// remove last `,` into query;
$sql_insert_race_history = rtrim($stmtrace, ',');
$countRow = count($_POST['racehist']);
//INSERT INTO THE DATABASE VIA QUERY
$stmtrace->execute();
我认为这可能与将它从foreach循环中的.=更改为->bind_param有关,因为这可能会夺走循环它的机会?我不太确定,我也将如何回应我试图回应$stmtrace它说method _tostring is not implemented
foreach ($vracehistory as $kay => $value) {
$stmtrace->bind_param("sss", $inserted_id, $value, $results[$kay]);
$stmtrace->execute();
}
你应该在循环中放置execute()。
绑定foreach循环外的参数,并在foreach循环中分配变量时分配并执行查询。例如
$stmtrace->bind_param("sss", $insertId, $insertValue, $insertKey);
foreach ($vracehistory as $kay => $value) {
$insertId = inserted_id;
$insertValue = $value;
$insertKey = $kay;
$stmtrace->execute();
}
另请注意,如果绑定一个整数,bind_param方法的值应为'i'。