Php 可以在WHERE子句中使用$\u POST吗_Php_Mysql_Variables_Methods

Php 可以在WHERE子句中使用$\u POST吗

php mysql variables methods

Php 可以在WHERE子句中使用$\u POST吗,php,mysql,variables,methods,Php,Mysql,Variables,Methods,在这个问题上没有真正直接的答案，所以我想我应该试一试 $myid = $_POST['id']; //Select the post from the database according to the id. $query = mysql_query("SELECT * FROM repairs WHERE id = " .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';

在这个问题上没有真正直接的答案，所以我想我应该试一试

$myid = $_POST['id'];

       //Select the post from the database according to the id.
   $query = mysql_query("SELECT * FROM repairs WHERE id = " .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));

上面的代码应该将变量$myid设置为id的发布内容，然后在SQL WHERE子句中使用该变量根据提交的id从数据库中获取数据。忘记了潜在的SQL注入（稍后我将修复它们）为什么这不起作用

好的，下面是我测试的完整代码：

<?php

//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');

//Check to see if the form has been submited, if it has we continue with the script.
if(isset($_POST['confirmation']) and $_POST['confirmation']=='true')
{
    //Slashes are removed, depending on configuration.
    if(get_magic_quotes_gpc())
    {
        $_POST['model'] = stripslashes($_POST['model']);
        $_POST['problem'] = stripslashes($_POST['problem']);
        $_POST['info'] = stripslashes($_POST['info']);
    }
    //Create the future ID of the post - obviously this will create and give the id of the post, it is generated in numerical order.
    $maxid = mysql_fetch_array(mysql_query('select max(id) as id from repairs'));
    $id = intval($maxid['id'])+1;

    //Here the variables are protected using PHP and the input fields are also limited, where applicable.
    $model = mysql_escape_string(substr($_POST['model'],0,9));
    $problem = mysql_escape_string(substr($_POST['problem'],0,255));
    $info = mysql_escape_string(substr($_POST['info'],0,6000));

    //The post information is submitted into the database, the admin is then forwarded to the page for the new post. Else a warning is displayed and the admin is forwarded back to the new post page. 
    if(mysql_query("insert into repairs (id, model, problem, info) values ('$_POST[id]', '$_POST[model]', '$_POST[version]', '$_POST[info]')"))
    {

?>

<?php

$myid = $_POST['id'];

       //Select the post from the database according to the id.
   $query = mysql_query("SELECT * FROM repairs WHERE id=" .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));

       //This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
   if( mysql_num_rows($query) < 1 )
{
 header('Location: 404.php');
 exit;
}

   //Assign variable names to each column in the database.
   while($row = mysql_fetch_array($query))
   {
       $model = $row['model'];
       $problem = $row['problem'];
   }

           //Select the post from the database according to the id.
   $query2 = mysql_query('SELECT * FROM devices WHERE version = "'.$model.'" AND issue = "'.$problem.'";') or die(header('Location: 404.php'));

       //This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
   if( mysql_num_rows($query2) < 1 )
{
 header('Location: 404.php');
 exit;
}

   //Assign variable names to each column in the database.
   while($row2 = mysql_fetch_array($query2))
   {
       $price = $row2['price'];
       $device = $row2['device'];
       $image = $row2['image'];
   }

?>  

<?php echo $id; ?>
<?php echo $model; ?>
<?php echo $problem; ?>
<?php echo $price; ?>
<?php echo $device; ?>
<?php echo $image; ?>

    <?  
    }
    else
    {
        echo '<meta http-equiv="refresh" content="2; URL=iphone.php"><div id="confirms" style="text-align:center;">Oops! An error occurred while submitting the post! Try again…</div></br>';
    }
}
?>


检查$myid的值和整个动态创建的SQL字符串，以确保它包含您认为它包含的内容
您的问题可能是由于对可能包含空值的列使用空字符串比较造成的。请尝试对所有空字符串使用name IS NULL
，依此类推
$myid
为空的唯一原因是它不是由浏览器发送的。确保表单操作设置为POST。您可以使用以下内容验证$\u POST
中是否存在值：
print_r($_POST);

并且，重复您的查询，以确保它是您期望的。尝试通过PHPMyAdmin或MySQL Workbench手动运行它。
表中的id是什么数据类型？你可能需要用单引号括起来
$query = msql_query("SELECT * FROM repairs WHERE id = '$myid' AND...")

编辑：也不需要使用双引号字符串连接。
使用$something=mysql\u real\u escape\u string（$POST['something']）

不仅可以防止SQL注入，还可以防止由于输入数据而导致的语法错误，例如：
name = O'Reilly    <<-- query will bomb with an error
memo = Chairman said: "welcome"   
etc.

name=O'Reilly它确实。您一定有其他问题未发布。返回的错误是什么？-使用php.net/mysql_query中的示例代码来显示您的错误为什么在查询的末尾有一个分号？@IgnacioVazquez Abrams这是多余的只是想指出，“我以后再修复它”通常会导致一些无法修复的问题，而在SQL注入的情况下，这是不应该延迟的问题。