在MySQL LIKE中使用php变量
[英]using php variable in mysql LIKE
问题描述
I want to write a mysql query something like this: 
我想写一个像这样的mysql查询:
select * from books where title like '$title_';
The $title is a php variable. $ title是一个php变量。 when i run the above query, it throws an error saying 当我运行上面的查询时,它抛出一个错误,说
'$title_ variable not found' “找不到$ title_变量”
How can I achieve this? 我该如何实现?
Thanks.. 谢谢..
8 个解决方案
解决方案1
8 2010-08-30 19:46:34
Use: 采用:
"... WHERE title LIKE '". mysql_escape_real_string($title) ."_'";
You could use: 您可以使用:
WHERE title LIKE '{$title}_'";
..but there's a risk of SQL Injection attacks ..但是有SQL注入攻击的风险
解决方案2
4 已采纳 2010-08-30 19:43:10
Do it like this: 像这样做:
$query = "select * from books where title like '{$title}_';"
$result = mysql_query($query) or die(mysql_error());
By surrounding variable in {} you can specify that only $title is a variable and not the _ . 通过在{}包围变量,可以指定仅$title是变量,而不是_ 。 And the double-quote string will ensure that this variable gets expanded to its value. 并且双引号字符串将确保此变量扩展为它的值。
解决方案3
0 2010-08-30 19:43:58
Do you have a variable $title_ or is it just $title? 您有变量$ title_还是仅仅是$ title?
If its just $title then: 如果只是$ title,则:
$query = "select * from books where title like '".$title."_'";
解决方案4
0 2010-08-30 19:44:13
Your query string must looks like: 您的查询字符串必须类似于:
$query = "select * from books where title like '".$title."_'";
Please note, the '".$title."_' 请注意, '".$title."_'
The error you are getting is because your query is taking $title and not the value of your php variable $title 您收到的错误是因为查询使用$title而不是PHP变量$title的值
解决方案5
0 2010-08-30 19:44:28
Try: 尝试:
"select * from books where title like '{$title}_';"
The curly braces first evaluate the variable and later add your wildcard _ to the variable value thereby providing sql query with your search criteria. 花括号首先计算变量,然后将通配符_添加到变量值,从而为sql查询提供搜索条件。
解决方案6
0 2010-08-30 19:44:38
$query = "select * from books where title like '" . $ query =“从标题为“”的书中选择*。 $title_ ."'"; $ title_。“'”;
解决方案7
0 2010-08-30 19:44:50
$ query =“ SELECT * FROM书籍,书名如'。$ title。” _';“;
解决方案8
-1 2010-08-30 19:43:55
The mysql query is merely a string. mysql查询仅仅是一个字符串。 You just have to put the value of your $title php variable inside this string. 您只需要将$ title php变量的值放在此字符串中即可。 The problem is that this string is followed by a character underscore that is valid in a variable name, hence you have to delimit the variable name or underscore will be included in the name. 问题在于,该字符串后跟一个在变量名中有效的下划线字符,因此您必须定界变量名,否则下划线将包含在名称中。
There is several way to do it, for exemple: 例如,有几种方法可以做到:
$query = "select * from books where title like '${title}_'";
$query = "select * from books where title like '".$title."_'";
As OMG Ponies said, if $title came from some user input and not from some controlled part of your program (for exemple another table in database), the variable should also be protected or there is some risks of SQL injection attack (executing more than one query, and more specifically a query prepared by some hacker to be some valid SQL). 如OMG Ponies所说,如果$ title来自某些用户输入而不是程序的某些受控部分(例如数据库中的另一个表),则该变量也应受到保护,否则存在SQL注入攻击的风险(执行一个查询,更具体地说,是由某些黑客准备的有效SQL查询。
Beside attacks, there is also some other potential problems if you do not escape. 除了攻击之外,如果您不逃避的话,还有其他一些潜在的问题。 Imagine what will happen for exemple if the title actually contains a quote... 想象一下,如果标题实际上包含引号,将会发生什么情况?
I would usually do: 我通常会这样做:
$query = "select * from books where title like '".addslashes($title)."_'";
but there is other variants depending the escaping context and what you want to protect from. 但是还有其他变体,具体取决于转义的上下文和您要保护的内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.