day61
防sql注入
delimiter \\
CREATE PROCEDURE p4 (
in tpl varchar(255),
in arg int
)
BEGIN
set @xo = arg;
PREPARE xxx FROM 'select * from student where sid > ?'; #准备执行
EXECUTE xxx USING @xo;#会将?替换 @xo
DEALLOCATE prepare xxx; #xxx名字随便取 #开始执行
END\\
delimiter ;
using后必须是局部变量,"@"是:局部变量声明。
调用时:
call p7("select * from tb where id > ?",9);