我应该如何在mysql_query函数中编写PHP $ _POST变量?
[英]How should I write PHP $_POST vars in a mysql_query function?
问题描述
In accessing my database, I have the user fill out a form, and in the target page, the posted values are used in the resulting MySQL query. 
在访问我的数据库时,我让用户填写表单,并在目标页面中,在生成的MySQL查询中使用发布的值。
$query = mysql_query("SELECT pass FROM database WHERE user='$_POST[user]'");
However, for some reason or another, MySQL doesn't like my using a $_POST variable in the command, and it only works if I define (for example) $user = $_POST['user']; 但是,出于某种原因,MySQL不喜欢我在命令中使用$ _POST变量,它只有在我定义(例如) $user = $_POST['user'];时才有效$user = $_POST['user']; , and then put $user directly in the SQL command. ,然后将$ user直接放在SQL命令中。
On the other hand, I can use $_POST values in INSERT statements where specific column names are not required: 另一方面,我可以在INSERT语句中使用$ _POST值,其中不需要特定的列名:
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', '$_POST[user]'");
If I try an INSERT statement where attributes are defined (eg user='foo' ), then the same problem appears. 如果我尝试定义属性的INSERT语句(例如user='foo' ),则会出现同样的问题。
What am I doing wrong in my SQL query that causes the command to error out when run, but works with the specific method of formatting an INSERT command? 我在SQL查询中做错了什么导致命令在运行时出错,但是使用格式化INSERT命令的特定方法?
Hopefully, it's not "tough luck, looks like you have to assign all of your posted values". 希望,这不是“运气不好,看起来你必须分配所有发布的价值”。 Heh. 嘿。
5 个解决方案
解决方案1
9 已采纳 2010-01-20 22:15:08
First of, watch out for SQL Injections ! 首先, 注意SQL注入 !
Now, to answer your question try doing this instead: 现在,要回答您的问题,请尝试执行此操作:
$query = mysql_query("SELECT `pass` FROM `database` WHERE `user` LIKE '" . mysql_escape_string($_POST['user']) . "';");
You were doing a couple of things wrong: 你做错了几件事:
- using the
=operator instead ofLIKEoperator使用=运算符而不是LIKE运算符 - not enclosing the value in the SQL query with
'与SQL查询未封闭的价值' - not enclosing the user index in the
$_POSTarray with'没有将用户索引包含在$_POST数组中'
PS: You should use mysql_real_escape_string() instead of mysql_escape_string() ! PS:您应该使用mysql_real_escape_string()而不是mysql_escape_string() !
解决方案2
3 2010-01-20 22:16:00
You're simply inserting a variable into a string, so it shouldn't matter which command you're putting it into. 您只是将一个变量插入到一个字符串中,因此将它放入哪个命令并不重要。
There are a few issues to point out. 有几点需要指出。
One, you might want to use the {} format for array variables. 一,您可能希望将{}格式用于数组变量。 You don't use quotes around the arrray key names in this format. 您不使用此格式的arrray键名称周围的引号。
$query = mysql_query("SELECT pass FROM database WHERE user='{$_POST[user]}'")
Two, you'd never want to make a query like that because you are open to sql injection holes. 二, 你永远不想做那样的查询,因为你对sql注入漏洞开放。 Consider, what if $_POST['user'] was "cow';drop table database;--"? 考虑一下,如果$ _POST ['user']是“cow”; drop table database; - “?
You must either run mysql_real_escape_string on the POST input before putting it into your query, or check out using PHP PDO with prepared statements. 您必须先在POST输入上运行mysql_real_escape_string,然后再将其放入查询中,或者使用带有预准备语句的PHP PDO进行检查。
One way to do format your string which provides a bit of structure is to use sprintf. 格式化提供一些结构的字符串的一种方法是使用sprintf。
$query=mysql_query(sprintf("SELECT pass FROM database WHERE user='%s'",mysql_real_escape_string($_POST['user'])));
解决方案3
2 2010-01-20 22:26:11
- Use PDO - it provides much better API to communicate with DB. 使用PDO - 它提供了更好的API与DB通信。
- If you're using
mysql_*()functions always remember to filter ( mysql_real_escape_string() ) any data that comes from untrusted source (like user)如果您正在使用mysql_*()函数,请记住过滤 ( mysql_real_escape_string() )任何来自不受信任来源的数据(如用户) Pay more attention to how your code looks like.
更加注意代码的外观。 Just compare the following listings: 只需比较以下列表: $query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ", " . mysql_real_escape_string($_POST['user']) . ")"); $query = sprinf('INSERT INTO database VALUES ("foo", "bar", "%s", "%s", "%s")', mysql_real_escape(...), ...);Do I have to explain which one is better to read, modify or understand?
我是否必须解释哪一个更好阅读,修改或理解?
解决方案4
1 2010-01-20 22:23:25
Why not check and see what mysql_error() has to say about it? 为什么不检查一下mysql_error()有什么说法呢? If your query is invalid, mysql_error() will return a nice blob of text telling you exactly what went wrong. 如果您的查询无效,mysql_error()将返回一个很好的文本blob,告诉您到底出了什么问题。
As for MySQL not liking the POST var if you insert it directly for some runs, but not others, then you should make sure you're using consistent data and setups for each test. 至于MySQL不喜欢POST var,如果你直接插入一些运行,而不是其他运行,那么你应该确保你为每个测试使用一致的数据和设置。 If some test are done using a GET, then your POST vars will be empty. 如果使用GET完成某些测试,那么您的POST变量将为空。 If you're using different user names for each test, then see if what's consistent between the ones that fail. 如果您为每个测试使用不同的用户名,那么请查看失败的用户名是否一致。
And as mentioned above, read up about SQL injection and how your query is just begging to be subverted by a malicious user. 如上所述,阅读有关SQL注入以及您的查询如何被恶意用户破坏的信息。
解决方案5
0 2010-01-20 22:16:35
Try 尝试
$query = mysql_query("SELECT pass FROM database WHERE user=" . mysql_real_escape_string($_POST['user']));
and 和
$query = mysql_query("INSERT INTO database VALUES ('foo', 'bar', " . mysql_real_escape_string($_POST['user']) . ")");
Its always a good idea to sanitize anything received through $_GET or $_POST 清除通过$ _GET或$ _POST收到的任何内容总是一个好主意
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.