Php 基于用户输入的MySQL查询
我有一张DB表。我想做一个文本输入,用户可以在其中输入“uid”,查询将返回与该uid关联的行 假设我有这样的东西:Php 基于用户输入的MySQL查询,php,mysql,database,return,row,Php,Mysql,Database,Return,Row,我有一张DB表。我想做一个文本输入,用户可以在其中输入“uid”,查询将返回与该uid关联的行 假设我有这样的东西: $query = "SELECT name,age FROM people WHERE uid = '2' LIMIT 0,1"; $result = mysql_query($query); $res = mysql_fetch_assoc($result); echo $res["age"]; 如何将该查询修改为类似 SELECT name, age FROM pe
$query = "SELECT name,age FROM people WHERE uid = '2' LIMIT 0,1";
$result = mysql_query($query);
$res = mysql_fetch_assoc($result);
echo $res["age"];
SELECT name, age
FROM people
WHERE uid = $_POST['blahblah'] LIMIT 0,1
// Read input from $_POST
$uid = (isset($_POST['uid']) ? $_POST['uid'] : '');
// Build query. Properly escape input data.
$query =
"SELECT name,age " .
"FROM people " .
"WHERE uid = '" . mysql_real_escape_string($uid) . "' " .
"LIMIT 0,1";
要从SQL注入攻击中进行保存,请使用:
$search_query = mysql_real_escape_string($_POST['blahblah']);
$query = "SELECT name, age FROM people WHERE uid = '".$search_query."' LIMIT 0 , 1";
有很多方法可以做到这一点 但首先要将其转义并存储在一个变量中
$blahblah = mysql_real_escape_string($_POST['blahblah']);
$query = "SELECT name,age FROM people WHERE uid = '" . $blahblah . "' LIMIT 0,1";
$query = "SELECT name,age FROM people WHERE uid = '{$blahblah}' LIMIT 0,1";
$query = "SELECT name,age FROM people WHERE uid = '$blahblah' LIMIT 0,1";
$query = "SELECT name,age FROM people WHERE uid = $blahblah LIMIT 0,1";
您可以使用sprintf函数来创建查询
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
$_POST['blahblah'] );
$query = sprintf("SELECT name,age FROM people WHERE uid = '%s' LIMIT 0,1",
mysql_escape_string($_POST['blahblah']) );
或者为什么不切换到PDO+使用预先准备好的语句以使其不受SQL注入的影响?出于我自己的教育目的,为什么使用-1ed?另外,我的印象是,如果字符串用双引号括起来,就可以插入一个不带引号的变量。这是真的,还是只对echos来说?我很感激你的建议/回答。@HiggsBoson谁做了-1他们应该添加评论。若您在db表中提到了int,那个么不需要在该变量周围加引号。更多添加引号会影响数据插入速度。但若db表有varchar或char列、date或int以外的列,则必须用(“”)双引号将其括起来