将NULL附加到字符串,用于MySQL插入查询
[英]Appending NULL to a string, used for MySQL insert query
问题描述
I am trying to add a new entry to a MySQL database, with last 5 parameters being optional, so NULL value is possible. 
我正在尝试向MySQL数据库添加一个新条目,最后5个参数是可选的,因此可以使用NULL值。 I am having trouble appending NULL value to a query string, based on received POST data. 根据收到的POST数据,我在查询字符串中附加NULL值时遇到问题。
How to append NULL value to a query string? 如何将NULL值附加到查询字符串?
//more similar mysqli_real_escape_string rows and if clauses above these lines
$phonenumber=mysqli_real_escape_string($db,$_POST["phonenumber"]);
$gender = NULL;
if($_POST["gender"] != null)
$gender=(int)mysqli_real_escape_string($db,$_POST["gender"]);
$age = NULL;
if($_POST["age"] != null)
$age = (int)mysqli_real_escape_string($db,$_POST["age"]);
$qs_registration="insert into uporabnik (ID, up_ime, geslo, email, ime, priimek, naslov_bivanja, posta_foreign_key,
tel_stevilka, spol, starost) VALUES (NULL, '".$username."','".$password."','".$email."','".$name."',
'".$surname."','".$location."',".$postoffice.",'".$phonenumber."',".$gender.",".$age.")";
2 个解决方案
解决方案1
0 2017-03-09 14:57:49
If you need a null value eg: are using and auto_increment id ..in a column then you could omit the related values (and you can avoid the string concat because '$yourvar' is enough) 如果你需要一个空值,例如:在一个列中使用和auto_increment id ..那么你可以省略相关的值(并且你可以避免字符串连接,因为'$ yourvar'就足够了)
"insert into uporabnik (up_ime, geslo, email, ime, priimek,
naslov_bivanja, posta_foreign_key, tel_stevilka, spol, starost)
VALUES ('$username','$password','$email','$name',
'$surname','$location', $postoffice','$phonenumber',$gender,$age.")";
anyway be careful passing var you should eval a paramaetrized query instead passing var for avoid sqlinjection 无论如何要小心传递var你应该eval一个paramaetrized查询而不是传递var以避免sqlinjection
解决方案2
0 2017-03-09 14:59:23
First of all, you should be using prepared statements - When should I use prepared statements? 首先,您应该使用预准备语句 - 我应该何时使用预准备语句?
However, if you are just looking for an answer, just set your initial variables to the string 'NULL' instead. 但是,如果您只是寻找答案,只需将初始变量设置为字符串'NULL' 。
That way, when you concat everything, you'll get a query string that MySQL can understand: 这样,当您连接所有内容时,您将获得MySQL可以理解的查询字符串:
$age = 'NULL';
if($_POST["age"] != null) {
// Wrap each variable in quotes
$age = "'" . (int)mysqli_real_escape_string($db,$_POST["age"]) . "'";
}
// etc.
$qs_registration="insert into uporabnik (ID, up_ime, geslo, email, ime, priimek, naslov_bivanja, posta_foreign_key,
tel_stevilka, spol, starost) VALUES (NULL, " . $username . "," . $password . "," . $email . "," . $name . ",
" . $surname . "," . $location . "," . $postoffice . "," . $phonenumber . "," . $gender . "," . $age . ")";
NOTE : I think there are a lot of other problems here, from not using prepared statements (as mentioned before) to how you have the table configured in the first place. 注意 :我认为这里存在很多其他问题,从不使用预准备语句(如前所述)到如何首先配置表。 But this should fix your issue at hand. 但这应该可以解决您手头的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.