smarty -sql查询-其中id子句是另一个查询的结果
[英]smarty -sql query - where id clause is the result of another query
问题描述
For partner data, I need the partner id to coresponds to the pid from the contract result. 
对于合作伙伴数据,我需要合作伙伴ID与合同结果中的pid对应。 I got the query result from contract data, got the contract data, then i need that the partner.id to be the contract.pid. 我从合同数据中获得了查询结果,获得了合同数据,然后我需要partner.id成为contract.pid。 When saving this, I get this error: 保存此错误时,出现以下错误:
Query failed : You have an error in your SQL syntax; 查询失败:您的SQL语法有误; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3 检查与您的MySQL服务器版本相对应的手册,以在第3行的''附近使用正确的语法
require "$_SERVER[DOCUMENT_ROOT]/billing/server/Smarty/libs/Smarty.class.php";
require_once "$_SERVER[DOCUMENT_ROOT]/common/server/engine.php";
// required args
$cbid = $_GET['cbid'];
//$smarty->force_compile = true;
$smarty->debugging = true;
$smarty->caching = true;
$smarty->cache_lifetime = 120;
// ------- contract data ------
$sql = "
SELECT *
FROM billing.contract_body
JOIN billing.contract_stub ON stub=contract_stub.id
WHERE contract_body.id=$cbid
";
$result = mysql_query($sql) or die ("Query failed : " . mysql_error());
while ($contract = mysql_fetch_assoc($result))
{
$value[] = $contract;
}
$smarty->assign('contract', $value);
// ------- partner data ------
$sql = "
SELECT *
FROM common.partner
WHERE partner.id=$contract[pid]
";
$result = mysql_query($sql) or die ("Query failed : " . mysql_error());
while ($partner = mysql_fetch_assoc($result))
{
$value[] = $partner;
}
1 个解决方案
解决方案1
0 2015-04-02 15:57:03
There are a few possible problems: 存在一些可能的问题:
1) You should probably use {} when interpolating array elements in a php string. 1)在php字符串中插入数组元素时,您可能应该使用{}。 I think different (older) versions of php handle the cases without {} differently (it's hard to get references to documentation on older versions of php). 我认为不同(较旧)的php版本在处理{}时不会有不同的处理(很难获得对较旧版本php的引用)。 The value could easily be interpreted as '', which would result in a sql error. 该值很容易解释为'',这将导致sql错误。 You could confirm this by printing out the actual sql string being executed - if the value is missing this would be the problem. 您可以通过打印出正在执行的实际sql字符串来确认这一点-如果缺少该值,那就是问题所在。 I personally always use the { } syntax for every expression other than simple variables " $myvar " 我个人总是对每个表达式使用{}语法,而不是简单变量“ $ myvar”
2) $contract[pid] is probably not valid. 2)$ contract [pid]可能无效。 pid would be interpreted as a constant (DEFINE) (which may resolve to 'pid'). pid将被解释为常量(DEFINE)( 可以解析为“ pid”)。 I'm guessing you meant this: $contract['pid']. 我猜你是这个意思:$ contract ['pid']。 Unfortunately the php documentation is not consistent in this - some samples show the use without quotes and some parts explicitly point out the problem: 不幸的是,PHP文档在此方面并不一致-一些示例显示不带引号的用法,而某些部分明确指出了该问题:
"Always use quotes around a string literal array index. For example, $foo['bar'] is correct, while $foo[bar] is not. But why? It is common to encounter this kind of syntax in old scripts:"
http://php.net/manual/en/language.types.array.php http://php.net/manual/en/language.types.array.php
3) it's appropriate to put single quotes around the value in the sql equals comparison. 3)最好在sql equals比较中将单引号引起来。 where table.column = 'value'; 其中table.column ='value'; It may work without, depending on data types involved. 根据所涉及的数据类型,它可能不起作用。
4) your code is subject to sql injection. 4)您的代码需要进行sql注入。 You're using the cbid value from the $_GET parameters without sanitizing them or using query parameters. 您正在使用$ _GET参数中的cbid值,而没有对其进行清理或使用查询参数。
So try this: 所以试试这个:
" ... where partner.id='{$contract['pid']}' " “ ...其中partner.id ='{$ contract ['pid']}''”
and please fix your sql injection :) The best approach is to use query parameters which avoids much of your problem with string interpolation in the first place. 并请修复您的SQL注入:)最好的方法是使用查询参数,这首先避免了字符串内插的大部分问题。 http://php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.