[英]Php mysqli and stored-procedure
I have a stored procedure: 我有一个存储过程:
Create procedure news(in dt datetime,in title varchar(10),in desc varchar(200))
Begin
Insert into news values (dt,title,desc);
End
Now my php: 现在我的PHP:
$db = new mysqli("","","","");
$dt = $_POST['date'];
$ttl = $_POST['title'];
$desc = $_POST['descrip'];
$sql = $db->query("CALL news('$dt','$ttl','$desc')");
if($sql)
{
echo "data sent";
}else{
echo "data not sent";
}
I'm new with php please help thank you 我是php的新手,请帮助谢谢
My php doesn't work i keep getting the "data not sent" message. 我的PHP不起作用,我一直收到“未发送数据”消息。 Am I doing something incorrectly? 我做错了什么吗?
First thing that comes to mind, might not be the only issue: 首先想到的可能不是唯一的问题:
$db = new mysqli("","","","");
should be something like 应该是这样的
$db = new mysqli("localhost","username","pa$$w0rd","database_name");
or if you have your ini set up correctly (see ini_get()
default values) , 或如果您的ini设置正确(请参见ini_get()
默认值) ,
$db = new mysqli();
Edit : By the way, you probably really want to use parametrised queries (or just generally escape your input) through-out, your 'CALL' query writes user input directly into the query, you're quite vulnerable to SQL injection. 编辑 :顺便说一句,您可能真的很想使用参数化查询(或者通常只是转义您的输入),您的“ CALL”查询将用户输入直接写入查询中,因此您很容易受到SQL注入的攻击。 Just imagine what'd happen if someone put in Description'); DELETE FROM news WHERE (title LIKE '%
试想一下,如果有人输入“ Description'); DELETE FROM news WHERE (title LIKE '%
会发生什么Description'); DELETE FROM news WHERE (title LIKE '%
Description'); DELETE FROM news WHERE (title LIKE '%
into $_POST['descrip']
: Description'); DELETE FROM news WHERE (title LIKE '%
到$_POST['descrip']
:
$sql = $db->query("CALL news('...','...','Description'); DELETE FROM news WHERE (title LIKE '%')");
Not so good. 不太好。
I think where you have 我想你在哪里
$sql = $db->query("CALL news('$dt','$ttl','$desc')");
you need 你需要
$sql = $db->query("CALL news('".$dt."','".$ttl."','".$desc."')");
The first fails because you are sending a string '$dt' as the date-time (and '$tt1' and '$desc' as the field values, for that matter). 第一次失败,因为您要发送字符串'$ dt'作为日期时间(与此同时,将'$ tt1'和'$ desc'作为字段值)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.