Php 将$\u GET传递到mySQL查询中
所以我有这个Php 将$\u GET传递到mySQL查询中,php,mysql,Php,Mysql,所以我有这个 $name = $_GET['fullname']; $username = $_GET['username']; $password = $_GET['password']; $gender = $_GET['gender']; $query = "INSERT INTO main (name, username, password,gender) VALUES (" . $name . "," . $username . "," . $password . ", " . $
$name = $_GET['fullname'];
$username = $_GET['username'];
$password = $_GET['password'];
$gender = $_GET['gender'];
$query = "INSERT INTO main (name, username, password,gender) VALUES (" . $name . "," . $username . "," . $password . ", " . $gender . ");";
mysql_query($query) or die(mysql_error());
http://my.website.com/submit_user_info.php?fullname=myfullname&username=myusername&password=mypassword&gender=m$query值(myfullname,“…等)$\u GETUnknown column 'myfullname' in 'field list'
为什么会发生这种情况?我如何解决这个问题?我通常不使用PHP/MySQL,所以我不太熟悉。在变量周围加上单引号。您需要在所有变量周围加引号:
// Sanitize with mysql_real_escape_string()
$name = mysql_reaL_escape_string($_GET['fullname']);
$username = mysql_reaL_escape_string($_GET['username']);
$password = mysql_reaL_escape_string($_GET['password']);
$gender = mysql_reaL_escape_string($_GET['gender']);
// Escaped values can be interpolated in the double-quoted string.
$query = "INSERT INTO main (name, username, password,gender) VALUES ('$name','$username','$password','$gender');";
因为您使用的是双引号字符串,所以您可以简单地将变量包含在由单引号包围的字符串中,以便正确插入,而不是将它们与
$vars = array('fullname', 'username', 'password', 'gender');
$query = "INSERT INTO main (name, username, password, gender) VALUES ('%s', '%s', '%s', '%s');";
$source = $_GET;
$vals = array_intersect_key($source, array_flip($vars));
if (count($vals) !== count($vars)) {
throw new RuntimeException('Invalid Request, missing variables: '.implode(', ', array_keys(array_diff_key(array_flip($vars), $source))));
}
if (!mysql_query(vsprintf($query, array_map('mysql_reaL_escape_string', $vals)))) {
throw new RuntimeException('Database Error: '.mysql_error());
}
这只是一些快速的书面示例,您应该考虑使用mySQL而不是mysql(参见)建议大家看一看。
别忘了清理用户输入!!!小心sql注入-而且,永远不要使用$\u GET$\u POST