SQL查询中的PHP整数值
[英]PHP integer value in SQL query
问题描述
这里$id是整数值,不会从MySQL中删除:
$Query="DELETE FROM table WHERE id='.$id.' and cid='".$cid."'";
2 个解决方案
解决方案1
3 2013-04-25 21:21:39
Your problem in short: you have mixed different quotation marks - " and ' . 
您在紧张的问题: 你有混合不同的引号- "和' 。
This problem would not arise if you would use prepared statements , as you would have had a single string literal: 如果您使用预处理语句 ,则不会出现此问题,因为您只有一个字符串文字:
$Query="DELETE FROM table WHERE id=? and cid=?";
This would also remove the possibility of SQL injections . 这也将消除SQL注入的可能性。
This would also speed-up you program if you need to execute the same prepared statement several times (the statement is already prepared and does not need to be parsed on the second+ invocation). 如果您需要多次执行同一条准备好的语句(这条语句已经准备好并且不需要在第二次调用之后进行解析) ,这也可以加快程序的速度 。
And finally, in case you are still using the officially deprecated PHP mysql extension you MUST switch to mysqli and use its full benefits like prepared statements. 最后,如果您仍在使用正式弃用的 PHP mysql扩展 ,则必须切换到mysqli并使用其充分的好处,如准备好的语句。 The mysql extension is no longer officially supported and may be removed in future (though I foresee that it will be moved to PEAR or so). mysql扩展不再受正式支持,并且将来可能会删除 (尽管我预计它将被移至PEAR左右)。
As a temporary solution, use mysql_real_escape_string to encode all variables which are derived from the user input. 作为一种临时解决方案,请使用mysql_real_escape_string对所有从用户输入派生的变量进行编码。 Please do NOT use mysql_escape_string as it is highly vulnerable to character encoding! 请不要使用mysql_escape_string因为它很容易受到字符编码的影响!
解决方案2
1 已采纳 2013-04-25 21:16:19
You forgot to close your " 您忘记关闭"
The Solution: 解决方案:
$id = mysql_real_scape_string($id);
$cid = mysql_real_scape_string($cid);
$Query="DELETE FROM table WHERE id='".$id."' and cid='".$cid."'";
The Problem 问题
So, if you were to echo out your statement as it was, the result would look like: 因此,如果您原样echo您的声明,则结果将如下所示:
DELETE FROM table WHERE id='.1.' and cid='2'
See the problem with that? 看到问题了吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.