English 中文(简体)
MySQL和PHP的问题
原标题:Problem with MySQL and PHP
  • 时间:2010-10-14 18:30:54
  •  标签:
  • php
  • mysql

PHP文件:

<?php
if (isset($_POST[ name ])){
 mysql_connect("localhost", "db", "test") or die(mysql_error());
 mysql_select_db("db") or die(mysql_error());
 $tmp = mysql_query("SELECT commercial FROM Channels WHERE name= .$_POST[name]. ");
 echo $tmp[0];
}
else
{
?>
<form method="post" action="<?php echo $_SERVER[ PHP_SELF ];?>">
<input name="name" type="text">
<input type="submit" name="submit" value="submit" >
</form>
<?php
}
?>

MYSQL数据库:

CREATE TABLE IF NOT EXISTS `Channels` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(30) NOT NULL,
  `commercial` tinyint(1) NOT NULL DEFAULT  0 ,
  `usrid` int(11) NOT NULL DEFAULT  0 ,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;

--
-- Daten für Tabelle `Channels`
--

INSERT INTO `Channels` (`id`, `name`, `commercial`, `usrid`) VALUES
(2,  TEST , 0, 0);

如果我在输入中写入TEST,$tmp[0]中的为空

请帮忙

最佳回答

问题出在您的查询上:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name= .$_POST[name]. ");

当您有一个要包含在字符串中的数组项时,需要将其用大括号括起来:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name= {$_POST[ name ]} ");

However DO NOT DO THIS. This query is highly insecure and open to SQL injection. Firstly ensure that magic_quotes_gpc is set to off in your PHP configuration (it is insecure and unreliable -- you can use var_dump(get_magic_quotes_gpc()); to confirm whether it is on or not). Then do the following:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name= " . mysql_real_escape_string($_POST[name]) . " ");

这将有助于确保您的网站不会受到SQL注入攻击。

我还鼓励您研究更现代、更安全的数据库查询方法,例如PDOMySQLi

时间:2010-10-14 18:41:28
问题回答

这里有撇号和引号:

 $tmp = mysql_query("SELECT commercial FROM Channels WHERE name= .$_POST[name]. ");

应该是:

 $tmp = mysql_query( SELECT commercial FROM Channels WHERE name=" .$_POST[ name ]. " );

编辑:而且,正如其他人所提到的,关闭Magic Quotes,如果它们被启用,并添加mysql_real_eescape_string(),因此:

 $tmp = mysql_query( SELECT commercial FROM Channels WHERE name=" .mysql_real_escape_string($_POST[ name ]). " );

此外,为了澄清,我之所以从外引号改为撇号,是因为变量解析(而不是自己做)增加了一些开销。

时间:2010-10-14 18:34:47
  1. You have a syntax error:
    $tmp = mysql_query("SELECT commercial FROM Channels WHERE name= .$_POST[name]. ");

您可能想要:

$tmp = mysql_query("SELECT commercial FROM Channels WHERE name= " . $_POST[ name ] ." ");

否则,如果你的名字是“Some Thing”,你就向mysql询问“.Somet Thing”(也不要像我写的那样使用该查询,这是一个安全问题,见下文)

  1. $tmp不是一个数组,它应该是一个结果。您需要调用mysql_fetch*函数之一来获得结果。您还应该使用mysql_error()检查错误,以确保查询成功。例如:

    if( !mysql_error() ) { $row = mysql_fetch_row($tmp); // do something with the row of data }

  2. 写入的查询是一个安全问题。有人可以用它来接管你的数据库,并做任何他们想做的事情。使用mysql_real_eescape_string()可以避免这种情况:

    $tmp=mysql_query(“SELECT commercial FROM Channels WHERE name=”.mysql_real_eescape_string($_POST[名称])。“”);

时间:2010-10-14 18:42:51


上一篇:
下一篇:


相关问题
SQL SubQuery getting particular column

I noticed that there were some threads with similar questions, and I did look through them but did not really get a convincing answer. Here s my question: The subquery below returns a Table with 3 ...

时间:2009-11-13 05:35:38 回答:3 展示:1
please can anyone check this while loop and if condition

<?php $con=mysql_connect("localhost","mts","mts"); if(!con) { die( unable to connect . mysql_error()); } mysql_select_db("mts",$con); /* date_default_timezone_set ("Asia/Calcutta"); $date = ...

时间:2009-11-13 05:25:03 回答:3 展示:1
php return a specific row from query

Is it possible in php to return a specific row of data from a mysql query? None of the fetch statements that I ve found return a 2 dimensional array to access specific rows. I want to be able to ...

时间:2009-11-09 16:40:04 回答:2 展示:1
Character Encodings in PHP and MySQL

Our website was developed with a meta tag set to... <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> This works fine for M-dashes and special quotes, etc. However, I ...

时间:2009-11-09 16:15:32 回答:3 展示:1
Pagination Strategies for Complex (slow) Datasets

What are some of the strategies being used for pagination of data sets that involve complex queries? count(*) takes ~1.5 sec so we don t want to hit the DB for every page view. Currently there are ~...

时间:2009-11-09 16:02:04 回答:5 展示:1
Averaging a total in mySQL

My table looks like person_id | car_id | miles ------------------------------ 1 | 1 | 100 1 | 2 | 200 2 | 3 | 1000 2 | 4 | 500 I need to ...

时间:2009-11-09 14:43:41 回答:4 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全