[英]Using PHP variable in SQL query
I'm having some trouble using a variable declared in PHP with an SQL query.我在使用带有 SQL 查询的 PHP 中声明的变量时遇到了一些问题。 I have used the resources at How to include a PHP variable inside a MySQL insert statement but have had no luck with them.
我已经使用了如何在 MySQL 插入语句中包含 PHP 变量中的资源,但没有使用它们。 I realize this is prone to SQL injection and if someone wants to show me how to protect against that, I will gladly implement that.
我意识到这很容易发生 SQL 注入,如果有人想向我展示如何防止这种情况发生,我很乐意实施。 (I think by using mysql_real_escape_string but that may be deprecated?)
(我认为通过使用 mysql_real_escape_string 但这可能会被弃用?)
<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'hospital_name' AND value = '$q'";
$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
echo $row['value'];
}
?>
I have tried switching '$q'
with $q
and that doesn't work.我试过用
$q
切换'$q'
,但没有用。 If I substitute the hospital name directly into the query, the SQL query and PHP output code works so I know that's not the problem unless for some reason it uses different logic with a variable when connecting to the database and executing the query.如果我将医院名称直接替换到查询中,SQL 查询和 PHP 输出代码将起作用,所以我知道这不是问题,除非由于某种原因它在连接到数据库并执行查询时使用不同的逻辑和变量。
Thank you in advance.先感谢您。
Edit: I'll go ahead and post more of my actual code instead of just the problem areas since unfortunately none of the answers provided have worked.编辑:我将继续发布更多我的实际代码,而不仅仅是问题区域,因为不幸的是,所提供的答案都没有奏效。 I am trying to print out a "Case ID" that is the primary key tied to a patient.
我正在尝试打印一个“病例 ID”,它是与患者相关的主键。 I am using a REDCap clinical database and their table structure is a little different than normal relational databases.
我使用的是 REDCap 临床数据库,它们的表结构与普通关系数据库略有不同。 My code is as follows:
我的代码如下:
<?php
$q = 'Hospital_Name';
$query = "SELECT * FROM database.table WHERE field_name = 'case_id' AND record in (SELECT distinct record FROM database.table WHERE field_name = 'hospital_name' AND value = '$q')";
$query_result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($query_result)) {
echo $row['value'];
}
?>
I have tried substituting $q
with '$q'
and '".$q."'
and none of those print out the case_id that I need.我试过用
'$q'
和'".$q."'
替换$q
,但没有一个打印出我需要的 case_id。 I also tried using the mysqli_stmt_*
functions but they printed nothing but blank as well.我也尝试使用
mysqli_stmt_*
函数,但它们也只打印空白。 Our server uses PHP version 5.3.3 if that is helpful.如果有帮助,我们的服务器使用 PHP 5.3.3 版。
Thanks again.再次感谢。
Do it like so这样做
<?php
$q = 'mercy_west';
$query = "SELECT col1,col2,col3,col4 FROM database.table WHERE field_name = 'hospital_name' AND value = ?";
if($stmt = $db->query($query)){
$stmt->bind_param("s",$q); // s is for string, i for integer, number of these must match your ? marks in query. Then variable you're binding is the $q, Must match number of ? as well
$stmt->execute();
$stmt->bind_result($col1,$col2,$col3,$col4); // Can initialize these above with $col1 = "", but these bind what you're selecting. If you select 5 times, must have 5 variables, and they go in in order. select id,name, bind_result($id,name)
$stmt->store_result();
while($stmt->fetch()){ // fetch the results
echo $col1;
}
$stmt->close();
}
?>
Yes mysql_real_escape_string() is deprecated.是的mysql_real_escape_string()已弃用。
One solution, as hinted by answers like this one in that post you included a link to, is to use prepared statements.一个解决方案,通过类似的答案为暗示这一个在该职位你提供一个链接,是使用准备好的语句。 MySQLi and PDO both support binding parameters with prepared statements.
MySQLi 和 PDO 都支持使用准备好的语句绑定参数。
To continue using the mysqli_* functions, use:要继续使用 mysqli_* 函数,请使用:
value='$q'
) value='$q'
)mysqli_stmt_bind_result() to send the output to a variable. mysqli_stmt_bind_result()将输出发送到变量。
<?php $q = 'Hospital_Name'; $query = "SELECT value FROM database.table WHERE field_name = 'hospital_name' AND value = ?"; $statement = mysqli_prepare($conn, $query); //Bind parameter for $q; substituted for first ? in $query //first parameter: 's' -> string mysqli_stmt_bind_param($statement, 's', $q); //execute the statement mysqli_stmt_execute($statement); //bind an output variable mysqli_stmt_bind_result($stmt, $value); while ( mysqli_stmt_fetch($stmt)) { echo $value; //print the value from each returned row }
If you consider using PDO, look at bindparam() .如果您考虑使用 PDO,请查看bindparam() 。 You will need to determine the parameters for the PDO constructor but then can use it to get prepared statements with the prepare() method.
您将需要确定PDO 构造函数的参数,然后可以使用它通过prepare()方法获取准备好的语句。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.