在php中运行多个查询
我对PHP和HTML都是新手。在按下submit按钮后,我试图用Users MySQL表中已有的数据填充字段(这是可行的)。我还想将通过SELECT获得的相同数据插入另一个名为scan的SQL表中在php中运行多个查询,php,html,Php,Html,我对PHP和HTML都是新手。在按下submit按钮后,我试图用Users MySQL表中已有的数据填充字段(这是可行的)。我还想将通过SELECT获得的相同数据插入另一个名为scan的SQL表中 <?php // php code to search data in mysql database and set it in input text if(isset($_POST['search'])) { // id to search $user_id = $_POS
<?php
// php code to search data in mysql database and set it in input text
if(isset($_POST['search']))
{
// id to search
$user_id = $_POST['user_id'];
// connect to mysql
$connect = mysqli_connect("127.0.0.1", "root", "root","demodb");
// mysql search query
$query = "SELECT * FROM Users WHERE user_id = $user_id LIMIT 1";
$query = "INSERT INTO scan (user_id, osha, firstname, lastname, company, trade, email, picture) SELECT user_id, osha, firstname, lastname, company, trade, email, picture FROM Users WHERE user_id = $user_id LIMIT 1";
$result = mysqli_query($connect, $query);
// if id exist
// show data in inputsi
if(mysqli_num_rows($result) > 0)
{
while ($row = mysqli_fetch_array($result))
{
$osha = $row['osha'];
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$company = $row['company'];
$trade = $row['trade'];
}
}
// if the id not exist
// show a message and clear inputs
else {
echo "Undifined ID";
$osha = "";
$firstname = "";
$lastname = "";
$company = "";
$trade = "";
}
mysqli_free_result($result);
mysqli_close($connect);
}
// in the first time inputs are empty
else{
$osha = "";
$firstname = "";
$lastname = "";
$company = "";
$trade = "";
}
?>
<!DOCTYPE html>
<html>
<head>
<title> PHP FIND DATA </title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<form action="barcode.php" method="post">
Id:<input type="text" name="user_id"><br><br>
Osha #:<input type="text" name="osha" value="<?php echo $osha;?>"><br><br>
First Name:<input type="text" name="firstname" value="<?php echo $firstname;?>"><br>
<br>
Last Name:<input type="text" name="lastname" value="<?php echo $lastname;?>"><br><br>
Company:<input type="text" name="company" value="<?php echo $company;?>"><br><br>
Trade:<input type="text" name="trade" value="<?php echo $trade;?>"><br><br>
<input type="submit" name="search" value="Find">
</form>
</body>
</html>
扫描表
| scan | CREATE TABLE `scan` (
`user_id` int(6) unsigned NOT NULL DEFAULT '0',
`osha` int(50) DEFAULT NULL,
`firstname` varchar(30) NOT NULL,
`lastname` varchar(30) NOT NULL,
`company` varchar(50) DEFAULT NULL,
`trade` varchar(50) DEFAULT NULL,
`email` varchar(50) DEFAULT NULL,
`picture` varchar(50) DEFAULT NULL,
`reg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1 |
您正在使用新值覆盖变量
$query
,而不是先执行查询。也就是说,尽管您的代码存在许多问题:
- 您不是在逃避
,请仔细阅读SQL注入攻击$\u POST['user\u id']
- 你不是在逃避你的HTML,请仔细阅读XSS攻击
- 您的逻辑流复制代码
- 通过两次获取数据、仅获取一次数据和插入一次数据,可以在数据库上添加额外的负载
<?php
// initalize the variables
$osha = "";
$firstname = "";
$lastname = "";
$company = "";
$trade = "";
// php code to search data in mysql database and set it in input text
if(isset($_POST['search']))
{
// connect to mysql
$dbc = mysqli_connect("127.0.0.1", "root", "root","demodb");
// id to search
$user_id = mysqli_real_escape_string($dbc, $_POST['user_id']);
$query = "SELECT * FROM Users WHERE user_id = '$user_id' LIMIT 1";
$rs = mysqli_query($dbc, $query);
if (mysqli_num_rows($rs) == 1)
{
$row = mysqli_fetch_array($rs);
$osha = $row['osha'];
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$company = $row['company'];
$trade = $row['trade'];
$query = "INSERT INTO scan (user_id, osha, firstname, lastname, company, trade, email, picture) VALUES (" .
"'" . $user_id . "', '" .
"'" . mysqli_real_escape_string($dbc, $osha ) . "', '" .
"'" . mysqli_real_escape_string($dbc, $firstname) . "', '" .
"'" . mysqli_real_escape_string($dbc, $lastname ) . "', '" .
"'" . mysqli_real_escape_string($dbc, $company ) . "', '" .
"'" . mysqli_real_escape_string($dbc, $trade ) . "')";
mysqli_query($dbc, $query);
}
else
{
echo "Undefined ID";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title> PHP FIND DATA </title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<form action="barcode.php" method="post">
Id:<input type="text" name="user_id"><br><br>
Osha #:<input type="text" name="osha" value="<?= htmlspecialchars($osha) ?>"><br><br>
First Name:<input type="text" name="firstname" value="<?= htmlspecialchars($firstname) ?>"><br>
<br>
Last Name:<input type="text" name="lastname" value="<?= htmlspecialchars($lastname) ?>"><br><br>
Company:<input type="text" name="company" value="<?= htmlspecialchars($company) ?>"><br><br>
Trade:<input type="text" name="trade" value="<?= htmlspecialchars($trade) ?>"><br><br>
<input type="submit" name="search" value="Find">
</form>
</body>
</html>
首先,不要直接在查询中使用变量。为了安全起见,强烈建议现在每天准备一份声明
因此,像这样更改查询,同时执行两个又一个查询时,必须将变量命名为不同的名称,否则后者将覆盖前一个:
$query1 = "SELECT * FROM Users WHERE user_id = ? LIMIT 1";
$query2 = "INSERT INTO scan (user_id, osha, firstname, lastname, company, trade, email, picture) SELECT user_id, osha, firstname, lastname, company, trade, email, picture FROM Users WHERE user_id = ? LIMIT 1";
然后创建准备好的语句,如下所示:
$stmt = mysqli_stmt_init($connect);
$stmt2 = mysqli_stmt_init($connect);
mysqli_stmt_prepare($stmt, $query1);
mysqli_stmt_prepare($stmt2, $query2);
mysqli_stmt_bind_param($stmt, "s", $user_id);
mysqli_stmt_bind_param($stmt2, "s", $user_id);
然后执行查询:
mysqli_stmt_execute($stmt);
mysqli_stmt_execute($stmt2);
最后,您可以通过以下方式获得$query1
的结果:
$result = mysqli_stmt_get_result($stmt);
你有没有看过我的文件?(1) 您的查询需要以结尾代码>,以及(2)您需要连接查询->$query.=
,因为您当前正在用第二个查询覆盖第一个查询。有些人发现这很有启发性。我正在尝试想象一个巧妙的查询,在重复键更新时插入和联合,然后检查受影响的行数。。。我相信结果可能是0、1或2。。。类似的东西。为什么这会对一个完全可以接受的、简洁的和正确的答案投反对票?我想知道。。。可能是某个PDO粉丝不高兴PDO没有在这里使用谢谢你的帮助!但是,我尝试了上面的代码,第二个查询似乎没有在表扫描中插入任何内容。有什么想法吗?嘿,伙计们,有什么想法我可以用上面的代码做第二个工作吗?@unexcellent请显示您的表定义(show create table Users
和show create table scan
)因此,我们可以复制您的设置和测试。您还可以使用mysqli\u real\u escape\u string
作为参数化查询的完全可接受的替代方法,它实际上更快,生成更干净的代码,并且只要您正确设置字符集,它同样安全。当迭代和插入数据集时,参数化查询速度更快,但对于单个查询,它会增加额外的开销。
$result = mysqli_stmt_get_result($stmt);