PHP选择查询返回false
[英]PHP select query returning false
问题描述
I am having this piece of code: 
我有这段代码:
$result = mysqli_query($con , 'SELECT * FROM messages WHERE group = "'.$_POST['group'].'" ORDER BY date '.$_POST['order'].'');
I don't understand why it is always returning me false. 我不明白为什么它总是让我假。 The variables $_POST['group'] and $_POST['order'] aren't empty . 变量$ _POST ['group']和$ _POST ['order']不为空。
$_POST['group']='PHP'
$_POST['order']='DESC'
The conecction to the database is corect too. 对数据库的连接也是corect。
2 个解决方案
解决方案1
0 2014-09-30 17:57:36
GROUP is a mysql reserved word and needs to be quoted using backticks; GROUP是mysql保留字 ,需要使用反引号引起来;
SELECT * FROM messages WHERE `group` = ...
You're also wide open to SQL injection, you should never add un-validated/un-escaped POST data in string format to your SQL. 您也对SQL注入持开放态度,永远不要将字符串格式的未经验证/未转义的POST数据添加到SQL中。 The safest way to do queries with user data is using prepared statements, or - as a less secure alternative - escape the data using mysqli_real_escape_string . 使用用户数据进行查询的最安全方法是使用预处理语句,或者-作为较不安全的替代方法,使用mysqli_real_escape_string对数据进行mysqli_real_escape_string 。
解决方案2
-1 2014-09-30 17:53:44
$result = mysqli_query($con , "SELECT * FROM messages WHERE group = '".mysqli_real_escape_string($_POST['group'])."' ORDER BY date '".mysqli_real_escape_string($_POST['order'])."'";
Try formatting the query like this and see if it helps your result. 尝试像这样格式化查询,看看它是否对您的结果有所帮助。 I also added mysqli_real_escape_string() to escape your input, as your query was wide open to SQL injection. 我还添加了mysqli_real_escape_string()来转义您的输入,因为您的查询已广泛接受SQL注入。
http://php.net/manual/en/mysqli.real-escape-string.php http://php.net/manual/zh/mysqli.real-escape-string.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.