day61
防sql注入
delimiter \ CREATE PROCEDURE p4 ( in tpl varchar(255), in arg int ) BEGIN set @xo = arg; PREPARE xxx FROM 'select * from student where sid > ?'; #准备执行 EXECUTE xxx USING @xo;#会将?替换 @xo DEALLOCATE prepare xxx; #xxx名字随便取 #开始执行 END\ delimiter ;
using后必须是局部变量,"@"是:局部变量声明。
调用时:
call p7("select * from tb where id > ?",9);