[英]Passing _POST variable to Mysql WHERE clause
<?php
//Connect to DB
$dbcnx = @mysql_connect("$db_host", $db_user, "$db_password");
if (!$dbcnx) {
echo( "<P>Unable to connect to the " .
"database server at this time.</P>" );
exit();
}
mysql_select_db("daily_audit", $dbcnx);
// Request the text of all the hosts
if(!empty($_POST['checklist'])) {
foreach($_POST['checklist'] as $check) {
$result = mysql_query(
"DELETE FROM hosts_list WHERE IP_Address = %s ", $check);
if (!$result) {
echo("<P>Error performing query: " .
mysql_error() . "</P>");
exit();
}
}
}
?>
I am having an issue getting the following code to run. 我在运行以下代码时遇到问题。 I have confirmed that the _POST variable contains data but I am pretty sure that there is an issue with how my SQL query is being process.
我已经确认_POST变量包含数据,但是我很确定我的SQL查询的处理方式存在问题。 Sorry I am a PHP n00b and I am trying to understand how I can correct this issue.
抱歉,我是PHP n00b,并且试图了解如何解决此问题。 I know that the query will likely require ' ' around the IP address which is making this tricky.
我知道查询可能会要求在IP地址周围输入'',这使这个问题变得棘手。 Thanks all in advance.
提前谢谢大家。
The mysql_query
function cannot format a string. mysql_query
函数无法格式化字符串。
You were probably thinking of sprintf()
: 您可能正在考虑
sprintf()
:
$query = sprintf("DELETE FROM hosts_list
WHERE IP_Address = %s", mysql_real_escape_string($check));
$result = mysql_query($query);
Consider switching to PDO
or mysqli
, because the mysql extension is now deprecated. 考虑切换到
PDO
或mysqli
,因为现在不建议使用mysql扩展名。
mysql_query()
can't format your query like that. mysql_query()
无法像这样格式化您的查询。
You're probably looking for sprintf()
: 您可能正在寻找
sprintf()
:
$result = mysql_query(
sprintf("DELETE FROM hosts_list WHERE IP_Address = %s ", $check) );
Note that your code is vulnerable to SQL injection. 请注意,您的代码容易受到SQL注入的攻击。 You should always sanitize user input before using it in a database query.
在数据库查询中使用用户输入之前,应始终清除用户输入。 Better yet, switch to MySQLi / PDO and use prepared statements.
更好的是,切换到MySQLi / PDO并使用准备好的语句。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.