Php 准备语句以使用用户输入更新MySQL数据库
使用PHP更新MySQL数据库有好的做法吗?我应该使用以下代码:Php 准备语句以使用用户输入更新MySQL数据库,php,mysql,mysqli,Php,Mysql,Mysqli,使用PHP更新MySQL数据库有好的做法吗?我应该使用以下代码: function change_email($email, $email_new) { $sql = "UPDATE users SET email = '$email_new' WHERE email = '$email' LIMIT 1"; $this->_db->query($sql); } 还是有更好的解决方案?我听说过准备好的语句,我认为我应该在这里使用它们,因为$email和$email\
function change_email($email, $email_new) {
$sql = "UPDATE users SET email = '$email_new' WHERE email = '$email' LIMIT 1";
$this->_db->query($sql);
}
还是有更好的解决方案?我听说过准备好的语句,我认为我应该在这里使用它们,因为$email和$email\u new是用户输入
非常感谢。试试这个
$query = "UPDATE users SET email ='".$email_new."' WHERE email = '".$email."'";
如果你想用非面向对象的方式。你可以用下面的方法来做。但一定要先转义数据(如果是用户输入的话),否则很容易受到SQL注入的攻击
$email_new = mysqli_real_escape_string($db, $email_new); //If you didn't did this already
$email = mysqli_real_escape_string($db, $email);
//You could also use htmlentities to secure against cross-site scripting
$email_new = htmlentities($email_new); //You can use htmlspecialchars() if you only want to do minimum conversion.
//This is not needed for email cause you are not inserting it into the database.
$query = "UPDATE users SET email = '$email_new' WHERE email = '$email'";
mysqli_query($db, $query);
您在
$email\u new
设置email=$email\u new'
设置email=$email\u new'
之前缺少一个报价,哈哈,好的,谢谢!我会试试这个。你可能想清理你的数据库输入。阅读bobby tables。是的,有:+1用于从SQLi保存OP。撰写此评论时唯一明智的解决方案。经过了很多时间,我学到了很多,为我的愚蠢感到抱歉。更新了这个问题,使它对未来更有帮助。“但一定要先避开你的数据(如果是用户输入的话)”-我的眼睛看着这个流着血。请阅读:
$email_new = mysqli_real_escape_string($db, $email_new); //If you didn't did this already
$email = mysqli_real_escape_string($db, $email);
//You could also use htmlentities to secure against cross-site scripting
$email_new = htmlentities($email_new); //You can use htmlspecialchars() if you only want to do minimum conversion.
//This is not needed for email cause you are not inserting it into the database.
$query = "UPDATE users SET email = '$email_new' WHERE email = '$email'";
mysqli_query($db, $query);