为什么我的SQL查询不起作用
[英]Why my SQL query does not work
问题描述
My SQL query doesn't work (the one with "UPDATE...") MySQL doesn't return any error, and the UPDATE query doesn't update anything. 
我的SQL查询不起作用(带有“ UPDATE ...”的查询),MySQL不返回任何错误,并且UPDATE查询不更新任何内容。
this is my code: 这是我的代码:
<?php
print_r($_POST);
try
{
$bdd = new PDO('mysql:host=localhost;dbname=perso;charset=utf8', 'root', 'root');
}
catch (Exception $e)
{
die('Erreur : ' . $e->getMessage());
}
$query = "SELECT * FROM money WHERE name='" . $_GET['name'] . "'";
foreach($bdd->query($query) as $val)
{
$name = $val['name'];
$balance = $val['balance'];
}
$balance = $balance + $_POST['money'];
echo $balance;
$query = "UPDATE money SET balance = " . $balance . " WHERE name = '" . $_GET['name'] . "'";
echo $query;
?>
1 个解决方案
解决方案1
0 2016-07-16 17:41:14
The reason is because you don't execute your statement, add this line to your code and you should be good... 原因是因为您不执行语句,而是将此行添加到代码中,所以您应该很好。
$bdd->query($query);
However, this is a really bad way to do things, you are open to SQL injection attacks because you are not preparing (escaping) your strings. 但是,这是一种非常糟糕的处理方式,因为您没有准备(转义)字符串,所以您很容易受到SQL注入攻击。 The best way to do it is by using parameters, then binding them to a prepared statement, like this... 最好的方法是使用参数,然后将它们绑定到准备好的语句,如下所示:
Setup your query, leaving data from users out, so anything after an = should be replaced by a ? 设置您的查询,保留用户数据,因此=后的所有内容均应替换为? , like this , 像这样
$query = "SELECT * FROM money WHERE name=?";
Also, don't put quotes around the question mark, PDO will do this automatically when you bind your parameter. 另外,请不要在问号两边加上引号,当您绑定参数时,PDO会自动执行此操作。
Next, you need to prepare your statement, like this... 接下来,您需要准备您的陈述,像这样...
$preparedStatement = $bdd->prepare($query);
You can then bind your parameters to the statement. 然后,您可以将参数绑定到该语句。 If you only have one, which in your case you do, you simply do it like this... 如果只有一个,就您的情况而已,您就可以像这样...
$preparedStatement->bindParam(1, $_GET['name']); //This is binding $_GET['name'] to the first question mark in the query, which is after name=.
If you have multiple parameters to bind, you simply need to replace the 1 with the position of the question mark, and repeat the same process for the amount of parameters you have. 如果要绑定多个参数,则只需将1替换为问号的位置,然后对相同数量的参数重复相同的过程。
You can also use iteration and arrays (using for and foreach loops) if you have a lot of parameters, to save yourself writing lines and lines of code. 如果您有很多参数,还可以使用迭代和数组(使用for和foreach循环),从而省去编写代码行和代码行的麻烦。
Hope this helps! 希望这可以帮助!
EDIT 编辑
If you implement all of what I have recommended, your new code will look like this... 如果您实现了我所建议的所有内容,那么您的新代码将如下所示:
<?php
print_r($_POST);
try{
$bdd = new PDO('mysql:host=localhost;dbname=perso;charset=utf8', 'root', 'root');
}
catch (Exception $e){
die('Erreur : ' . $e->getMessage());
}
$query = "SELECT * FROM `money` WHERE `name`=?"; //Replacing the concatenation with parameters.
$pStatement = $bdd->prepare($query); //Preparing your statement. This closes your vulnrability to attack.
$pStatement->bindParam(1, $_GET['name']); //Binding $_GET['name']
$pStatement->execute(); //Execute the statement.
foreach($pStatement->fetchAll(PDO::FETCH_ASSOC) as $val){ //Fetching all from the executed statement as an associative array.
$name = $val['name'];
$balance = $val['balance'];
}
$balance = $balance + $_POST['money'];
echo $balance;
$query = "UPDATE money SET balance = " . $balance . " WHERE name = '" . $_GET['name'] . "'";
echo $query;
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.