Php 准备语句以使用用户输入更新MySQL数据库
使用PHP更新MySQL数据库有好的做法吗?我应该使用以下代码:Php 准备语句以使用用户输入更新MySQL数据库,php,mysql,mysqli,Php,Mysql,Mysqli,使用PHP更新MySQL数据库有好的做法吗?我应该使用以下代码: function change_email($email, $email_new) { $sql = "UPDATE users SET email = '$email_new' WHERE email = '$email' LIMIT 1"; $this->_db->query($sql); } 还是有更好的解决方案?我听说过准备好的语句,我认为我应该在这里使用它们,因为$email和$email\
function change_email($email, $email_new) {
$sql = "UPDATE users SET email = '$email_new' WHERE email = '$email' LIMIT 1";
$this->_db->query($sql);
}
$query = "UPDATE users SET email ='".$email_new."' WHERE email = '".$email."'";
如果你想用非面向对象的方式。你可以用下面的方法来做。但一定要先转义数据(如果是用户输入的话),否则很容易受到SQL注入的攻击
$email_new = mysqli_real_escape_string($db, $email_new); //If you didn't did this already
$email = mysqli_real_escape_string($db, $email);
//You could also use htmlentities to secure against cross-site scripting
$email_new = htmlentities($email_new); //You can use htmlspecialchars() if you only want to do minimum conversion.
//This is not needed for email cause you are not inserting it into the database.
$query = "UPDATE users SET email = '$email_new' WHERE email = '$email'";
mysqli_query($db, $query);
您在
$email\u new设置email=$email\u new'email=$email\u new'$email_new = mysqli_real_escape_string($db, $email_new); //If you didn't did this already
$email = mysqli_real_escape_string($db, $email);
//You could also use htmlentities to secure against cross-site scripting
$email_new = htmlentities($email_new); //You can use htmlspecialchars() if you only want to do minimum conversion.
//This is not needed for email cause you are not inserting it into the database.
$query = "UPDATE users SET email = '$email_new' WHERE email = '$email'";
mysqli_query($db, $query);