Inserting Variables In MySQL Query

Question

如您所见，我有一个查询要在其中插入变量。我的语法出了什么问题？

$query = "UPDATE house SET epname=".$newtitle" WHERE epid= ".$epid;

Answer 1

The basic syntax error is:

…e=".$newtitle" W…
             ^^

If you were going to go down the route of bashing strings together to make SQL statements, then you should make use of the fact that double quotes interpolate. This results in much more readable code.

$query = "UPDATE house SET epname=$newtitle WHERE epid=$epid";

But the approach of string bashing is flawed . Use prepared statements (preferably with PDO), they are harder to create SQL injection vulnerabilities with and (arguably) easier to read.

Answer 2

Are your variables strings? You will want to enclose them in quotes for the purpose of the MySQL query.

Also, you're missing a concatenation operator (period) after $newtitle.

If you echo out the value of $query, you should see the error:

UPDATE house SET epname=[value of newtitle] WHERE epid= [value of $epid]

Assuming that epname is a char/varchar value, and epid is an integer of some sort, you probably want to do this:

$query = "UPDATE house SET epname = '" . mysql_real_escape_string($newtitle) . "' WHERE epid= " . $epid;

If you do not use the mysql_escape_string function around your strings, you are vulnerable to SQL injection attacks

Answer 3

$query = "UPDATE house SET epname=".$newtitle" WHERE epid= ".$epid;

should be

$query = "UPDATE house SET epname=".$newtitle." WHERE epid= ".$epid;

or better

$query = "UPDATE house SET epname= $newtitle WHERE epid= $epid";