比较PHP变量值和MySQL列值
[英]Compare PHP Variable value with MySQL Column value
问题描述
I receive a post and want to do some actions only if the value of variable received in post exists in a specific column of the table. 
我收到一个帖子,并且仅当表格中的特定列中存在帖子中接收到的变量的值时,才想执行一些操作。 So i did this: 所以我做到了:
$pedidoID = $_POST["pedidoID"];
$con = mysql_connect("127.0.0.1", "root", "password") or die("Could not connect: " . mysql_error());
$result = mysql_query('SELECT id FROM listapagamento WHERE numeroPedido = "pedidoID"');
if(mysql_num_rows($result) == 0) {
//Some actions
}
So if the value from pedidoID doesn't exist in the column numeroPedido it will do the actions, because result will be 0 (because no rows are found). 因此,如果numeroPedido列中不存在来自pedidoID的值,则它将执行操作,因为结果将为0(因为未找到任何行)。
What is happenning is that the $result is returning as bool(false) in both cases (if the value exists or not). 正在发生的是,在两种情况下(如果值存在或不存在),$ result都将返回为bool(false)。 I guess that my problem is how I'm using the variable inside the SELECT to compare to the column. 我想我的问题是我如何使用SELECT内的变量与列进行比较。 I've tried to insert $_POST["pedidoID"] inside the SELECT also but my syntax was also wrong. 我也尝试在SELECT内插入$ _POST [“ pedidoID”],但我的语法也不对。
Does anyone know the correct syntax to use? 有人知道要使用的正确语法吗?
3 个解决方案
解决方案1
0 2016-03-23 21:04:38
Right now you are comparing the column's value with a fixed string, hence your error. 现在,您正在将列的值与固定的字符串进行比较,因此会出现错误。 Put the variable in the code instead. 而是将变量放入代码中。
$pedidoID = $_POST["pedidoID"];
$con = mysql_connect("127.0.0.1", "root", "Password") or die("Could not connect: " . mysql_error());
$result = mysql_query('SELECT id FROM listapagamento WHERE numeroPedido = "' . $pedidoID . '"');
if(mysql_num_rows($result) == 0) {
//Some actions
}
HOWEVER this code is wide open to SQL injection attacks, you should always sanitize any input before using it. 尽管此代码容易受到SQL注入攻击的影响,但在使用任何输入之前,应始终清除所有输入。 Which, as recommended, would look like: 根据建议,其外观如下:
$pedidoID = $_POST["pedidoID"];
$con = mysql_connect("127.0.0.1", "root", "Password") or die("Could not connect: " . mysql_error());
$result = mysql_query('SELECT id FROM listapagamento WHERE numeroPedido = "' . mysqli_real_escape_string($pedidoID) . '"');
if(mysql_num_rows($result) == 0) {
//Some actions
}
解决方案2
0 已采纳 2016-03-23 21:08:01
Try: 尝试:
$pedidoID = mysql_real_escape_string($_POST["pedidoID"]);
$con = mysql_connect("127.0.0.1", "root", "password") or die("Could not connect: " . mysql_error());
mysql_select_db('<your_database_name>', $con);
$result = mysql_query("SELECT id FROM listapagamento WHERE numeroPedido = 'pedidoID'");
if(mysql_num_rows($result) == 0) {
//Some actions
}
解决方案3
0 2016-03-23 21:19:29
When you write code that deal with database, make always sure that it's not vulnerable to sql injection. 当编写用于处理数据库的代码时,请始终确保它不容易受到sql注入的攻击。 Now for your case, you have to treat the post element before using it: 现在,对于您的情况,必须在使用post元素之前对其进行处理:
$pedidoID = mysql_real_escape_string ($_POST["pedidoID"]);
Then for your bug, you haven't select the database: 然后针对您的错误,您没有选择数据库:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
die('Connection to Mysql failed : ' . mysql_error());
}
$db_selected = mysql_select_db('database', $link);
if (!$db_selected) {
die ('connection to database failed : ' .mysql_error());
}
$result = mysql_query("SELECT id FROM listapagamento WHERE numeroPedido=$pedidoID");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.