Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/mysql/56.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
PHP使用mysql在变量中发布变量_Php_Mysql - Fatal编程技术网
Fatal编程技术网
  • php/
  • PHP使用mysql在变量中发布变量

PHP使用mysql在变量中发布变量

php mysql

PHP使用mysql在变量中发布变量,php,mysql,Php,Mysql,我需要使用地区编号作为变量的结尾。示例$publish\u page\u添加地区编号 我正在从我的url抓取$district\u num,我已经用echo 这是我试过的 $district_num = $_REQUEST['district_num']; // from url and works $publish_page_.''.$district_num = $district_var['publish_page_'.$district_num.'']; //this does not

我需要使用地区编号作为变量的结尾。示例
$publish\u page\u
添加地区编号 我正在从我的url抓取
$district\u num
,我已经用
echo

这是我试过的

$district_num = $_REQUEST['district_num']; // from url and works

$publish_page_.''.$district_num = $district_var['publish_page_'.$district_num.'']; //this does not work

$publish_page_.''.$district_num = addslashes($_POST['publish_page_'.$district_num.'']); //this does not work

$sql = "UPDATE districts SET
        publish_page_$district_num = '$publish_page_$district_num' //this does not work and throws error "can not find publish_page_ in field list

        WHERE district_num ='$district_num'"; //this works when the above code is removed
跟进已更正的代码。。。谢谢你@cale_b和@Bill Karwin

     $district_num = (int) $_REQUEST['district_num']; 
     $$publish_page = "publish_page_{$district_num}";

     $$publish_page = $district_var[ "publish_page_{$district_num}"];

if (isset($_POST['submitok'])):
   $$publish_page = addslashes($_POST[$publish_page]);


    $sql = "UPDATE districts SET
            publish_page_{$district_num} = '$publish_page'

        WHERE district_num ='$district_num'";
如果你想了解,它在手册中(我链接到它)。但事实上,在你的情况下,你并不需要它

注意SQL注入。您的代码易受此攻击

因为您使用输入来形成SQL列名,所以不能使用SQL查询参数来解决它。但是您可以将输入强制转换为整数,在这种情况下可以防止SQL注入

$district_num = (int) $_REQUEST['district_num'];

$publish_page_col = "publish_page_{$district_num}";
上述方法是安全的,因为
(int)
转换确保num变量仅为数字。它不可能包含任何可能导致SQL注入漏洞的字符,如
'
\

对于其他动态值,请使用查询参数

$publish_page_value = $_REQUEST["publish_page_4{$district_num}"];

$sql = "UPDATE districts SET
        `$publish_page_col` = ?
        WHERE district_num = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute([ $publish_page_value, $district_num ]);
正如下面的@cale_b注释所示,您应该了解,在PHP中,变量可以在双引号字符串中展开。有关详细信息,请参阅。

更有用的是输入和输出示例。你的问题有点让人困惑。但是,您正在寻找两个概念:1:变量和2:插值-在第二行中尝试以下内容:
$key=“publish\u page{$district\u num}”然后
$$key=$district\u var[“发布页面”{$district\u num}]-(是的,
$$key
-这是一个变量)您可能会提到双引号的重要性,以及双引号内发生插值的事实……在回显以下代码时,文本丢失,只显示数字$district_num=(int)$_请求['district_num'];$publish\u page\u col=“publish\u page{$district\u num}”;这对我来说很好。我可以
var\u dump($publish\u page\u col)输出为
字符串(17)“发布页面”
。我不知道你在干什么。