MySQL使用Ajax返回表名而不是值
[英]MySQL returns table name instead of value with Ajax
问题描述
I'm trying to make an AJAX request to fetch some data from the database but the only thing returned is the name of the column. 
我正在尝试发出AJAX请求以从数据库中获取一些数据,但返回的唯一内容是列的名称。 Can somebody explain why? 有人可以解释为什么吗? Here is my code: 这是我的代码:
=> Table Name :- tblstudents =>表格名称:-tblstudents
id = 0
fname = john
lname = doe
tel = 555-564-1585
id = 1
fname = paul
lname = smith
tel = 555-134-5644
id = 2
fname = laura
lname = mcdo
tel = 555-465-7512
=> AJAX method: => AJAX方法:
function fetchFromDBPHP(column, fname, id, tel) {
$.ajax({
type: "post",
url: "./php/fetchFromDB.php",
dataType: 'json',
data: { column: column, fname: fname, id: id },
success: function(data) {
localStorage.setItem(tel, data);
},
error:function(request, status, error) {
console.log("** Error from fetchFromDBPHP **");
console.log("Error: " + error + "\nMessage: " + request.responseText);
}
});
}
=> Javascript : => Javascript:
fetchFromDBPHP(column, fname, id, "one");
var result = localStorage.getItem("one");
console.log("Result: " + result);
=> PHP : => PHP:
<?php
$column = $_POST['column'];
$fname = $_POST['fname'];
$id = $_POST['id'];
if (isset($column)) {
$sql = "SELECT '$column' FROM tblstudents WHERE fname = '$fname' AND id = '" . intval($id) . "'";
$con = mysqli_connect("localhost", "root", "", "test");
if (!$con) {
die("Connection failed: " . mysqli_error($con));
}
$result = mysqli_query($con, $sql);
$to_encode = array();
while($row = mysqli_fetch_array($result, MYSQLI_NUM)) {
$to_encode[] = $row;
}
echo json_encode($to_encode);
mysqli_close($con);
}
?>
As you might know, column , fname and id have values in the Javascript code. 如您所知, column , fname和id在Javascript代码中具有值。 As my database is way longer, I tried to be as much close as possible to my real code. 由于我的数据库更长,因此我尝试尽可能接近真实代码。 The only thing is, the result of the AJAX request gives me a JSON object result containing the name of the column, and not its content. 唯一的是,AJAX请求的结果为我提供了一个JSON对象结果,其中包含列的名称,而不是其内容。 Anybody can help? 有人可以帮忙吗? Thanks in advance :) 提前致谢 :)
1 个解决方案
解决方案1
4 已采纳 2017-10-03 12:09:41
You're using the wrong quotes in your query. 您在查询中使用了错误的引号。
"SELECT '$column' FROM ..."
...will simply return the value of the variable $column instead of the value of the actual database column. ...将仅返回变量$column的值,而不是实际数据库列的值。
Changing it to (back ticks): 将其更改为(回勾):
"SELECT `$column` FROM ..."
will work. 将工作。
An important note... 重要说明...
...the posted code is wide open to SQL Injections and should use parameterized Prepared Statements instead of concatenation of the variables in the query. ...发布的代码对SQL注入很开放,应该使用参数化的Prepared Statements而不是查询中变量的串联。 Specially since the user inputs aren't escaped at all. 特别是因为用户输入根本不会转义。
Rule of thumb, never ever trust user inputs. 经验法则, 永远不要相信用户输入。
Regarding the column name, which you can't parameterize, you should create a white list with allowed column names. 关于您无法参数化的列名,您应该使用允许的列名创建白名单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.