SQL查询中的多个PHP变量
[英]Multiple PHP Variables in SQL Query
问题描述
Im struggling to understand quotes in PHP Mainly when doing SQL Query's. 
我很难理解PHP中的引号主要是在执行SQL查询时。 I keep getting an error on this query. 我不断收到此查询错误。
SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = ".$dest."AND Hotels.ID =".$hotel;
I'm Trying to use two PHP variables in the query. 我正在尝试在查询中使用两个PHP变量。 Any help would be greatly appreciate. 任何帮助将不胜感激。
4 个解决方案
解决方案1
0 2013-12-10 17:36:25
Your query should be 您的查询应为
$query = "SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = '$dest' AND Hotels.ID = '$hotel'";
Since you are using ID and if it is an integer field, it is not required to put quotes around ID value, you can also do 由于您使用的是ID,并且它是整数字段,因此不需要在ID值两边加上引号,因此您也可以
$query = "SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = $dest AND Hotels.ID = $hotel";
UPDATE: 更新:
You need to escape the query input. 您需要转义查询输入。 You can esacpe the user input using two methods. 您可以使用两种方法来保留用户输入。 Using mysqli_real_escape_string or using prepared statements : 使用mysqli_real_escape_string或使用准备好的语句 :
With mysqli_real_escape : 使用mysqli_real_escape:
$dest = $mysqli->real_escape_string($dest);
$hotel = $mysqli->real_escape_string($hotel);
$stmt = "SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = '$dest' AND Hotels.ID = '$hotel'";
With Prepared statement : 使用准备好的语句:
$stmt = $mysqli->prepare("SELECT Hotels.HotelImage1, Holidays.ID, Hotels.HotelName, Destinations.Name, PriceBands.PriceBand_Cost FROM Holidays
INNER JOIN Hotels ON Holidays.Hotel_ID = Hotels.ID
INNER JOIN PriceBands ON Holidays.PriceBand_ID = PriceBands.ID
INNER JOIN Destinations ON Destinations.ID = Holidays.Destination_ID
WHERE Destinations.ID = ? AND Hotels.ID = ?");
/* Bind parameters. Types: s = string, i = integer, d = double, b = blob */
$stmt->bind_param("ii", $dest, $hotel);
解决方案2
0 2013-12-10 17:36:34
Try change last string to 尝试将最后一个字符串更改为
WHERE Destinations.ID = '".$dest."' AND Hotels.ID ='".$hotel."'";
And always show sql errors. 并始终显示sql错误。 It is helpfull 这是有帮助的
解决方案3
0 2013-12-10 17:40:05
SQL (Most flavours, anyways) requires that strings be delimited by single-quotes. SQL(无论如何,大多数口味)都要求字符串用单引号引起来。 You have to build this into your query. 您必须将其构建到查询中。 Also, don't bother concatenating the variables as PHP is capable of finding variables inside strings. 另外,不要费心将变量连接起来,因为PHP能够在字符串中查找变量。
解决方案4
0 2013-12-10 17:41:34
Do not build SQL queries that way. 不要以这种方式构建SQL查询。 Use Prepared Statements instead. 改为使用预备语句。 Its parameter bind avoids any issue related to the data-type, SQL injection attacks and any security stuff. 它的参数绑定避免了与数据类型,SQL注入攻击和任何安全性有关的任何问题。
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/zh/mysqli.quickstart.prepared-statements.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.