Php 如何以正确的格式获取此查询?
我一直在尝试使用php获取一些数据以输入我的sqli数据库 在PHPMyAdmin上通过GUI执行插入查询时,需要将变量包装在单引号中 到目前为止,我是这样构建查询的:Php 如何以正确的格式获取此查询?,php,sql,mysqli,insert,Php,Sql,Mysqli,Insert,我一直在尝试使用php获取一些数据以输入我的sqli数据库 在PHPMyAdmin上通过GUI执行插入查询时,需要将变量包装在单引号中 到目前为止,我是这样构建查询的: $fields = array('`appName`' => $_POST[appName], '`appDescription`' => $_POST[appDescription], '`UploadDate`' => date
$fields = array('`appName`' => $_POST[appName],
'`appDescription`' => $_POST[appDescription],
'`UploadDate`' => date("Y-m-d"),
'`appWebsite`' => $_POST[appWebsite]);
printarray($fields);
print "<br>";
print "<br>";
$columns = implode(", ",array_keys($fields));
$escaped_values = array_map('mysql_real_escape_string', array_values($fields));
$values = implode(", ", $escaped_values);
$sql = "INSERT INTO `applist`.`apps` ($columns) VALUES ($values)";
print $sql;
print "<br>";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error";
}
如何将数组的值用单引号括起来
任何帮助都值得赞赏。因为您使用了内爆,因此您可以添加引号,并在sql查询中添加开始和结束报价:
$fields = array('`appName`' => $_POST[appName],
'`appDescription`' => $_POST[appDescription],
'`UploadDate`' => date("Y-m-d"),
'`appWebsite`' => $_POST[appWebsite]);
printarray($fields);
print "<br>";
print "<br>";
$columns = implode(", ",array_keys($fields));
$escaped_values = array_map('mysql_real_escape_string', array_values($fields));
$values = implode("', '", $escaped_values); //add qoutes
$sql = "INSERT INTO `applist`.`apps` ($columns) VALUES ('$values')"; //add start and end qoutes
print $sql;
print "<br>";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error";
}
$fields=array(`appName`=>$\u POST[appName],
“`appDescription`=>$\u发布[appDescription],
“`UploadDate`=>日期(“Y-m-d”),
“`appWebsite`=>$\u POST[appWebsite]);
打印阵列(字段);
打印“
”;
打印“
”;
$columns=内爆(“,”,数组_键($fields));
$escape_values=array_map('mysql_real_escape_string',array_values($fields));
$values=内爆(“',”,$escape_值)//添加qoutes
$sql=“插入到`applist`.`apps`($columns)值('$VALUES')”//添加开始和结束qoutes
打印$sql;
打印“
”;
if(mysqli_查询($conn,$sql)){
echo“新记录创建成功”;
}否则{
回声“错误”;
}
但这不是一个好的解决方案,其他查询可能会出错!使用PDO比它更好 您需要将单引号附加到每个数组值 替换
$values = implode(", ", $escaped_values);
与
你甚至还加了双引号。我至少可以发现两个错误
- 查询中字符串周围缺少单引号
- 混合API(
和mysql\uu
不会混合),您可以使用mysqli\u
mysql\u real\u escape\u string()
…
)。为了生成占位符?
,我们创建了一个包含计数($fields)
元素数的数组,所有元素的值都是?
。这是通过array\u fill()
完成的。然后我们内爆()
$fields = array('`appName`' => $_POST['appName'],
'`appDescription`' => $_POST['appDescription'],
'`UploadDate`' => date("Y-m-d"),
'`appWebsite`' => $_POST['appWebsite']);
$columns = implode(", ",array_keys($fields));
$sql = "INSERT INTO `applist`.`apps` ($columns) VALUES (".implode(", ", array_fill(0, count($fields), '?')).")";
if ($stmt = $conn->prepare($sql)) {
$stmt->bind_param(str_repeat("s", count($fields)), ...$fields);
if ($stmt->execute())
echo "New record created successfully";
else
echo "Insert failed";
$stmt->close();
} else {
echo "Error";
}
这将负责引用字符串并防止SQL注入
要获取可能遇到的任何错误,请使用mysqli\u error($conn)
和/或mysqli\u stmt\u error($stmt)
。这将确切地告诉你出了什么问题
您还应该引用POST数组中的索引。PHP会找到答案,并将appName
转换为'appName'
,但如果您记录错误,它会生成通知(这是您应该做的)
$columns=内爆(“,”,数组_键($fields));
$escape_values=array_map('mysql_real_escape_string',array_values($fields))
哎哟。不太好
试图转义内容是值得称赞的,但是如果数据中包含逗号,那么使用此代码将无法成功
您已经开始使用一种插入数据的通用方法,请考虑:
function insert($db_conn, $table, $data)
{
$ins_vals=array(); // note we write the transformed data to a new array
// as we may be modifying the column names too
foreach ($data as $key=>$val) {
// we need to protect the column names from injection attacks as
// well as the data hence:
$quoted_key="`" . str_replace("`", "", $key) . "`";
// next we create an appropriate representation of the data value
if (is_null($val)) {
$ins_vals[$quoted_key]="NULL"; // in SQL 'NULL' != NULL
} else if (is_numeric($val)) {
// nothing to change here
$ins_vals[$quoted_key]=$val; // no need to quote/escape
} else {
$ins_vals[$quoted_key]="'"
. mysqli_real_escape_string($dbconn, $val)
. "'";
}
}
// then we stick the bits together in an SQL statement
$cols=implode(",", array_keys($ins_vals));
$vals=implode(",", $ins_vals);
$sql="INSERT INTO $table ($cols) VALUES ($vals)";
return mysqli_query($dbconn, $sql);
}
不要使用字符串连接生成查询。使用或准备带有绑定参数的语句,如中所述。在此处混合API是行不通的。您的查询没有动态构建所需的那么大或复杂。当然可以,但至少要用准备好的语句来构建它。
$fields = array('`appName`' => $_POST['appName'],
'`appDescription`' => $_POST['appDescription'],
'`UploadDate`' => date("Y-m-d"),
'`appWebsite`' => $_POST['appWebsite']);
$columns = implode(", ",array_keys($fields));
$sql = "INSERT INTO `applist`.`apps` ($columns) VALUES (".implode(", ", array_fill(0, count($fields), '?')).")";
if ($stmt = $conn->prepare($sql)) {
$stmt->bind_param(str_repeat("s", count($fields)), ...$fields);
if ($stmt->execute())
echo "New record created successfully";
else
echo "Insert failed";
$stmt->close();
} else {
echo "Error";
}
function insert($db_conn, $table, $data)
{
$ins_vals=array(); // note we write the transformed data to a new array
// as we may be modifying the column names too
foreach ($data as $key=>$val) {
// we need to protect the column names from injection attacks as
// well as the data hence:
$quoted_key="`" . str_replace("`", "", $key) . "`";
// next we create an appropriate representation of the data value
if (is_null($val)) {
$ins_vals[$quoted_key]="NULL"; // in SQL 'NULL' != NULL
} else if (is_numeric($val)) {
// nothing to change here
$ins_vals[$quoted_key]=$val; // no need to quote/escape
} else {
$ins_vals[$quoted_key]="'"
. mysqli_real_escape_string($dbconn, $val)
. "'";
}
}
// then we stick the bits together in an SQL statement
$cols=implode(",", array_keys($ins_vals));
$vals=implode(",", $ins_vals);
$sql="INSERT INTO $table ($cols) VALUES ($vals)";
return mysqli_query($dbconn, $sql);
}