感觉可以和存储过程:https://blog.csdn.net/zhizhengguan/article/details/86525021#if_115 对照着看
优点
- 防止SQL注入
- 实现动态查询
prepare 防止SQL注入
set @s = 'select * FROM employees where emp_no = ?';
set @a = 100080;
prepare stmt from @s;
EXECUTE stmt using @a; -- 传入变量
DEALLOCATE PREPARE stmt;
备注:什么叫做SQL注入
原本要执行
select * FROM employees where emp_no = 100080
如果被非法拼接
select * FROM employees where emp_no = 100080 or 1 = 1
其数据就会被全部偷走
而如果使用Prepare语句
set @s = 'select * FROM employees where emp_no = ?';
set @a = 100080 or 1=1;
prepare stmt from @s;
EXECUTE stmt using @a; -- 传入变量
DEALLOCATE PREPARE stmt;
仍然只会显示这一条语句
prepare 实现动态查询
set @s = 'select * FROM employees where 1=1';
set @s = concat(@s, ' AND gender = "m"');
set @s = concat(@s, ' and birth_date >= "1960-01-01"');
prepare stmt from @s;
EXECUTE stmt ;
DEALLOCATE PREPARE stmt;
set @s = 'select * FROM employees where 1=1';
set @s = concat(@s, ' AND gender = "m"');
set @s = concat(@s, ' and birth_date >= "1960-01-01"');
set @s = concat(@s, ' order by emp_no limit ?, ?');
set @page_no = 0;
set @page_count = 10;
prepare stmt from @s;
EXECUTE stmt using @page_count, @page_count;
DEALLOCATE PREPARE stmt;