(PDO) 从 id 收集特定数据

Question

i Have an url stands as : http://website.com/update.php?id= {NUMBER}

How would I make PDO grabs the results from that specific id?
Here is my attempt for update.php page :

try {
    $dbh = new PDO("mysql:host=$hostname;dbname=vector",$username,$password);

    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line

  $id = $_GET['id'];

    $sql = "SELECT * FROM users WHERE id = '. $id .'";
foreach ($dbh->query($sql) as $row)
    {
    ?>
    <?php echo $row['username']; ?>
    <?php
    }


    $dbh = null;
    }
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
?>

Answer 1

To avoid this kind of mistakes you need to use prepared statements of PDO (which also prevents SQL INJECTION )

$dbh = new PDO("mysql:host=$hostname;dbname=vector",$username,$password);

$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line

$id = $_GET['id'];

$sth = $dbh->prepare("SELECT * FROM users WHERE id = ?");
$sth->execute(array($id));
$data = $sth->fetchAll(PDO::FETCH_ASSOC);
print_r($data); // check  values are coming or not and then try to print it

Answer 2

I assume your ID is a number so don't use = 'id'

also you should use prepared statments to protect against SQL injection attacks

$sql = "SELECT * FROM users WHERE id = :id";
$bind = array( 'id' => $id );
$sth = $dbh->prepare($sql);
$sth->execute($bind);
$rows = $sth->fetchAll(PDO::FETCH_ASSOC);

foreach ($rows as $row) {
    ...
}

Answer 3

I think your error is that in your SQL, your quotes are a bit mixed up...

$sql = "SELECT * FROM users WHERE id = '. $id .'";

Will most likely give you a SQL statement which will be something like..

SELECT * FROM users WHERE id = '. 1 .'

You should use prepared statements and bind variables as in others have pointed out, but in this case...

$sql = "SELECT * FROM users WHERE id = $id";

Should work.