mysqli参数中的空值
[英]null values in mysqli parameters
问题描述
my mysql table accepts NULL values on many fields, I'm updating records and my desktop app is creating a http string as follows and sending to a php script. 
我的mysql表在许多字段上接受NULL值,我正在更新记录,而我的桌面应用程序正在按如下方式创建http字符串并发送到php脚本。
www.webpage/script.php?firstval=48.345345&secondval=234&thirdval=&fourthval=simon
on the db thirdval is already NULL but the parameters in the http string may or may not hold values 在db thirdval上已为NULL,但http字符串中的参数可能包含也可能不包含值
do I need to : A)pass the parameter in the http string as b)pass the parameter in the httpstring as c)cater for the null value in the php script( d)not include the parameter in the http string at all or something else my phpscript is like so : 我是否需要:A)将HTTP字符串中的参数作为b)将HTTP字符串中的参数作为c)将php脚本中的null值提供给客户(d)完全不包括HTTP字符串中的参数否则我的phpscript就像这样:
?php
DEFINE ('DBUSER', 'generic01');
DEFINE ('DBPW', 'genpass');
DEFINE ('DBHOST', 'mysql4.xxxxxxxxx.com');
DEFINE ('DBNAME', '_Places');
$dbc = mysqli_connect(DBHOST,DBUSER,DBPW);
if (!$dbc) {
die("Database connection failed: " . mysqli_error($dbc));
exit();
}
$dbs = mysqli_select_db($dbc, DBNAME);
if (!$dbs) {
die(" Database selection bit failed: " . mysqli_error($dbc));
exit();
}
$lat = mysqli_real_escape_string($dbc, $_GET['lat']);
$lng = mysqli_real_escape_string($dbc,$_GET['lng']);
$prox = mysqli_real_escape_string($dbc,$_GET['prox']);
$description = mysqli_real_escape_string($dbc,$_GET['description']);
$id = mysqli_real_escape_string($dbc,$_GET['id']);
$direction = mysqli_real_escape_string($dbc,$_GET['direction']);
$avoiddays = mysqli_real_escape_string($dbc,$_GET['avoiddays']);
$validfrom = mysqli_real_escape_string($dbc,$_GET['validfrom']);
$validto = mysqli_real_escape_string($dbc,$_GET['validto']);
$gefid = mysqli_real_escape_string($dbc,$_GET['gefid']);
$expiry = mysqli_real_escape_string($dbc,$_GET['expiry']);
$query = "UPDATE places SET rt_lat = '$lat',rt_lng= '$lng',rt_prox = '$prox', rt_description = '$description', rt_direction = '$direction',rt_avoiddays = '$avoiddays',rt_validto = '$validto',rt_validfrom = '$validfrom',rt_gefid = '$gefid',rt_expiry='$expiry' WHERE rt_id = '$id'";
$result = mysqli_query($dbc, $query) or trigger_error("Query MySQL Error: " . mysqli_error($dbc));
mysqli_close($dbc);
?>
All help appreciated, 感谢所有帮助,
2 个解决方案
解决方案1
0 2014-06-18 15:01:40
PHP has no knowledge of SQL nulls. PHP不了解SQL空值。 If you want a blank/not-set $_GET value to become a null in the DB, then you have to take special steps: 如果希望空白/未设置的$ _GET值在数据库中成为空值,则必须采取特殊步骤:
if(isset($_GET['lat']) || ($_GET['lat'] == '')) {
$lat = 'NULL'; // a plain PHP string with the word "null" in it
} else {
$lat = "'" . mysqli_real_escape_string($dbc, $_GET['lat']) . "'"; // note the extra quotes
}
$sql = "INSERT ... VALUES ($lat, ....)"
If you do it any other way, eg (just as an example, yes it's sql-injection vulnerable): 如果您以其他方式执行此操作,例如(仅作为示例,是的,它容易受到sql注入的攻击):
$sql = "INSERT ... VALUES ('$_GET[lat]', ...)";
Then for an empty $_GET['lat'] your query would actually be 然后对于空的$_GET['lat']您的查询实际上是
INSERT ... VALUES ('', ...)
and you'd be inserting an empty string, NOT an sql null. 并且您将插入一个空字符串,而不是sql null。
解决方案2
0 已采纳 2014-06-18 15:02:09
You do not need to include it in the http request, but you have to catch that, otherwise you get an E_NOTICE error. 您无需将其包含在http请求中,但必须抓住它,否则会收到E_NOTICE错误。
For all fields that can be null: 对于所有可以为空的字段:
if (isset($_GET['gefid'])) {
$gefid = mysqli_real_escape_string($dbc,$_GET['gefid']);
} else {
$gefid = null;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.