使用PDO的PHP查询未插入MySQL
[英]Query with PHP using PDO are not inserted in MySQL
问题描述
I insert with PHP some data in my MySQL database, using PDO . 
我使用PDO将PHP中的一些数据插入MySQL数据库中。
$connection->query(
"INSERT INTO eOrderManagement.first_name (first_name)
VALUES ('" . $firstName . "');
INSERT INTO eOrderManagement.last_name (last_name)
VALUES ('" . $lastName . "');
INSERT INTO eOrderManagement.section (section)
VALUES ('" . $section . "');
INSERT INTO eOrderManagement.order (creation_date, wished_delivery_date, status, email, first_name_id, last_name_id, section_id)
VALUES ('" . $creationDate . "', '" . $wishedDeliveryDate . "', 'En attente', '" . $email . "', (SELECT first_name_id FROM eOrderManagement.first_name WHERE first_name LIKE '" . $firstName . "'), (SELECT last_name_id FROM eOrderManagement.last_name WHERE last_name LIKE '" . $lastName . "'), (SELECT section_id FROM eOrderManagement.section WHERE section LIKE '" . $section . "'));
INSERT INTO eOrderManagement.equipment (description, imputation, cost, maintenance_cost, order_id)
VALUES ('" . $description . "', '" . $imputation . "', '" . $cost . "', '" . $maintenanceCost . "', (SELECT MAX(order_id) FROM eOrderManagement.order));"
);
The three first requests are inserted in my database, but the two last are not. 前三个请求插入到我的数据库中,但后两个没有插入。 I tried to insert them manually in the MySQL Commande Line , directly with data on the query (unlike with variables in PHP), and all the query insert the data correctly. 我试图在MySQL Commande Line中手动将其直接插入查询中的数据(与PHP中的变量不同),然后所有查询均正确插入数据。
Any idea why this two query doesn't insert anything ? 知道为什么这两个查询不插入任何内容吗? The two query I am talking about are : 我正在谈论的两个查询是:
INSERT INTO eOrderManagement.order (creation_date, wished_delivery_date, status, email, first_name_id, last_name_id, section_id)
VALUES ('" . $creationDate . "', '" . $wishedDeliveryDate . "', 'En attente', '" . $email . "', (SELECT first_name_id FROM eOrderManagement.first_name WHERE first_name LIKE '" . $firstName . "'), (SELECT last_name_id FROM eOrderManagement.last_name WHERE last_name LIKE '" . $lastName . "'), (SELECT section_id FROM eOrderManagement.section WHERE section LIKE '" . $section . "'));
INSERT INTO eOrderManagement.equipment (description, imputation, cost, maintenance_cost, order_id)
VALUES ('" . $description . "', '" . $imputation . "', '" . $cost . "', '" . $maintenanceCost . "', (SELECT MAX(order_id) FROM eOrderManagement.order));"
2 个解决方案
解决方案1
2 已采纳 2014-04-03 06:43:54
order is a reserved word for SQL. order是SQL的保留字。 So you have to quote your table name order 因此,您必须引用表名order
`eOrderManagement.order`
Try the following: 请尝试以下操作:
INSERT INTO `eOrderManagement.order` (creation_date, wished_delivery_date, status, email, first_name_id, last_name_id, section_id)
VALUES ('" . $creationDate . "', '" . $wishedDeliveryDate . "', 'En attente', '" . $email . "', (SELECT first_name_id FROM eOrderManagement.first_name WHERE first_name LIKE '" . $firstName . "'), (SELECT last_name_id FROM eOrderManagement.last_name WHERE last_name LIKE '" . $lastName . "'), (SELECT section_id FROM eOrderManagement.section WHERE section LIKE '" . $section . "'));
INSERT INTO eOrderManagement.equipment (description, imputation, cost, maintenance_cost, order_id)
VALUES ('" . $description . "', '" . $imputation . "', '" . $cost . "', '" . $maintenanceCost . "', (SELECT MAX(order_id) FROM `eOrderManagement.order`));"
Moreover, your queries are vulnerable for SQL injections. 而且,您的查询容易受到SQL注入的攻击。 So I suggest you to use prepared statements with parameters. 因此,我建议您使用带参数的预备语句。
for example: 例如:
$query = $db->prepare('INSERT INTO eOrderManagement.equipment
(description,
imputation,
cost,
maintenance_cost,
order_id)
VALUES (:description,
:imputation,
:cost,
:maintenanceCost,
(SELECT MAX(order_id) FROM `eOrderManagement.order`)
)'
);
$query->bindValue(':description', $description, PDO::PARAM_STR);
...
OR 要么
$query->execute(':description' => $description, :imputation => $imputation, ...);
Another point what if there are two insert processes executed simultaneously? 还有一点,如果同时执行两个插入过程怎么办?
SELECT MAX(order_id) FROM `eOrderManagement.order`
would return incorrect value. 将返回不正确的值。 Use lastInsertId() function of PDO. 使用PDO的lastInsertId()函数。
解决方案2
2 2014-04-03 06:44:20
In fact, your problem is FAR deeper than silly syntax issue. 实际上,您的问题比愚蠢的语法问题更深。
First of all, such a database structure makes absolutely no sense. 首先,这样的数据库结构绝对没有意义。
Having tables consists of one single field won't let you to get your data back! 表格由一个字段组成, 不会让您取回数据!
So, instead of first three you have to make ONE table first, contains all your fields. 因此,您不必首先创建一个表,而是包含所有字段,而不是前三个。
Then create ONE insert query that have to utilize prepared statements instead of interpolating variables like you do here. 然后创建一个插入查询,该查询必须利用准备好的语句,而不是像在此那样插值变量。
And you ought to use LAST_INSERT_ID()/PDO::insertId() to handle table relations, instead of these selects. 您应该使用LAST_INSERT_ID()/ PDO :: insertId()处理表关系,而不要使用这些选择。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.