PHP MySQL的分配变量到列数据

Question

I'm trying to assign MySQL column data to php variables so I can then send via email. It runs a query looking for a matching phone number in database and then returns the row/column data. Some of the variables are being brought in via a text message to this php script in case you're wondering why they are not in the mysql stuff. I'm getting an error at the while statement when I run in browser but I have a feeling my SELECT statement isn't right. Thanks!

<?php
session_start();

//$to_number_back = $_GET['to_number'];
$to_number_back = "+15551212";
$dcsrep = array();
$name = array();
$date = array();
$amount = array();
$digits = array();
$details = array();


//include_once("scripts/connect_to_mysql.php");
$servername = "****";
$username = "****";
$password = "****";
$dbname = "****";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

$stmt = $conn->prepare('SELECT dcsrep, name, date, amount, digits, details     FROM ***uth WHERE to_number = ?');

$stmt->bind_param('s', $to_number_back);

$result = $stmt->execute();
$stmt->store_result();

while($row = $result->fetch_assoc()) {

$dcsrep[] = $row['dcsrep'];
$name[] = $row['name'];
$date[] = $row['date'];
$amount[] = $row['amount'];
$digits[] = $row['digits'];
$details[] = $row['details'];
}

if($stmt->num_rows > 0){
echo "Records received";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}


$conn->close();


$from_number = $_GET['from_number'];
$message = $_GET['message'];

    $to = "***@global.net";
    $from = "admin@d***.com";

    $subject = " Payment Authorization";

    //// start email body ////

    $message1 = "


From: $from_number

To: $to_number


Message:

$dcsrep
$name
$date
$amount
$digits
$details


$message



";

    //// Set das headers eh ////

    $headers = 'MIME-Version: 1.0' . "rn";

    $headers .= "Content-type: textrn";

    $headers .= "From: $fromrn";

    /// Okay, you send now!

    mail($to, $subject, $message1, $headers, '-f admin**ect.com');

echo "it worked";

?>

Answer 1

You've got a hodgeposh of mysql, mysqli, procedural and object oriented functions you're using here, you need to standardize.

First, let's change $conn to instantiate an instance of a mysqli connection and return an object.

$conn = new mysqli($servername, $username, $password, $dbname);

Then do your checks:

if($conn->connect_error){
    die("Connection failed: " . $conn->connect_error);
}

Now, you're going to be accepting user input data, so don't directly inject that into the string, instead take advantage of prepared statements . Furthermore, your number is actually a string and not an integer. However, our prepared statement and bind_param calls will handle that

$stmt = $conn->prepare('select dcsrep, name, date, amount, digits, details from ****uth where to_number = ?');

Now the ? is a placeholder, let's bind our data safely to it.

$stmt->bind_param('s', $to_number_back);
                   ^--- treat it as a string

Great. Now it's safely sanitized. Let's execute the statement now and walk over our returned results.

$result = $stmt->execute();

while($row = $result->fetch_assoc()){
    $dcsrep[] = $row['dcsrep'];
    $name[] = $row['name'];
    $date[] = $row['date'];
    $amount[] = $row['amount'];
    $digits[] = $row['digits'];
    $details[] = $row['details'];
}

Now you can proceed as you intend.

Edit

You should also not worry about $conn->query($sql) === TRUE . Instead, you should store the request and then evaluate the number of rows returned.

You will need to store the result directly after calling ->execute();

$result = $stmt->execute();
$stmt->store_result();

Now you can check the num rows instead of if the query was true.

if($stmt->num_rows > 0){
    //do your stuff, query found results.
} else {
    //die out
}