For partner data, I need the partner id to coresponds to the pid from the contract result. I got the query result from contract data, got the contract data, then i need that the partner.id to be the contract.pid. When saving this, I get this error:
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3
require "$_SERVER[DOCUMENT_ROOT]/billing/server/Smarty/libs/Smarty.class.php";
require_once "$_SERVER[DOCUMENT_ROOT]/common/server/engine.php";
// required args
$cbid = $_GET['cbid'];
//$smarty->force_compile = true;
$smarty->debugging = true;
$smarty->caching = true;
$smarty->cache_lifetime = 120;
// ------- contract data ------
$sql = "
SELECT *
FROM billing.contract_body
JOIN billing.contract_stub ON stub=contract_stub.id
WHERE contract_body.id=$cbid
";
$result = mysql_query($sql) or die ("Query failed : " . mysql_error());
while ($contract = mysql_fetch_assoc($result))
{
$value[] = $contract;
}
$smarty->assign('contract', $value);
// ------- partner data ------
$sql = "
SELECT *
FROM common.partner
WHERE partner.id=$contract[pid]
";
$result = mysql_query($sql) or die ("Query failed : " . mysql_error());
while ($partner = mysql_fetch_assoc($result))
{
$value[] = $partner;
}
There are a few possible problems:
1) You should probably use {} when interpolating array elements in a php string. I think different (older) versions of php handle the cases without {} differently (it's hard to get references to documentation on older versions of php). The value could easily be interpreted as '', which would result in a sql error. You could confirm this by printing out the actual sql string being executed - if the value is missing this would be the problem. I personally always use the { } syntax for every expression other than simple variables " $myvar "
2) $contract[pid] is probably not valid. pid would be interpreted as a constant (DEFINE) (which may resolve to 'pid'). I'm guessing you meant this: $contract['pid']. Unfortunately the php documentation is not consistent in this - some samples show the use without quotes and some parts explicitly point out the problem:
"Always use quotes around a string literal array index. For example, $foo['bar'] is correct, while $foo[bar] is not. But why? It is common to encounter this kind of syntax in old scripts:"
http://php.net/manual/en/language.types.array.php
3) it's appropriate to put single quotes around the value in the sql equals comparison. where table.column = 'value'; It may work without, depending on data types involved.
4) your code is subject to sql injection. You're using the cbid value from the $_GET parameters without sanitizing them or using query parameters.
So try this:
" ... where partner.id='{$contract['pid']}' "
and please fix your sql injection :) The best approach is to use query parameters which avoids much of your problem with string interpolation in the first place. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.