stackoom
  简体   繁体   中英

SELECT * FROM $_POST[] - PHP mySQL formatting

 原文  2012-04-12 22:04:31       php/ jquery/ mysql

Question

Need help formatting a mySQL query string. The following query returns "parse error, expecting T_STRING or T_VARIABLE"

PHP: 

<?php


include 'db_connect.php';

mysql_select_db($databaseName, $con);

$query = "SELECT * FROM .$_POST['tab']. WHERE plant_code = .$_POST['plant_code']";

$result = mysql_query($query) or die (mysql_error());

$row = mysql_fetch_assoc($result);

echo json_encode($row);

?>

jQuery: 

$('#profiles_desktops').click(function(){
                $.post("php/loadProfile.php", {plant_code : selectedSite, tab : "profiles_desktops"}, function(result){ (do something here...) });  });

5 answers

solution1
 2 ACCPTED  2012-04-12 22:09:09

DO NOT DO THAT! it's wide open to SQL injection attacks. For god sake, validate and escape your input.

at the very least , rewrite it to: 

$query = "SELECT * FROM `".mysql_real_escape_string($_POST['tab'])."` WHERE plant_code = '".mysql_real_escape_string($_POST['plant_code'])."'";

solution2
 1  2012-04-12 22:06:46

查询应该是: 

"SELECT * FROM ".$_POST['tab']." WHERE plant_code =".$_POST['plant_code']

solution3
 1  2012-04-12 22:08:14

The periods (.) in your query are unnecessary because you didn't break the quotes. Either of these should work: 

$query = "SELECT * FROM $_POST['tab'] WHERE plant_code = $_POST['plant_code']";

or 

$query = "SELECT * FROM " . $_POST['tab'] . " WHERE plant_code = " . $_POST['plant_code'];

Edit: This is, of course, not addressing the giant injection security holes :]

solution4
 0  2012-04-12 22:09:05

Your concatenations in $query declaration are wrong. 

$query = "SELECT * FROM " . $_POST['tab'] . "WHERE plant_code = '" . mysql_real_escape_string($_POST['plant_code']) . "'";

would suffice.

solution5
 0  2012-04-12 22:10:55

Should be: 

$query = "SELECT * FROM ".$_POST['tab']." WHERE plant_code = ".$_POST['plant_code'];

needed to have the php variable surrounded by double quotes (and leave the last one off, since you are ending with a variable, or instead of double quotes, leave out the dots because PHP will see it's variables and convert them to the values before the query runs. Also, sql doesn't like bracketed array variables for some reason. Try putting all your values in variables which is also much nicer to read: 

$tab = $_POST['tab'];
$plant = $_POST['plant_code'];
$query = "SELECT * FROM ".$tab." WHERE plant_code = ".$plant;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Formatting a mysql number from a select statement into php PHP select statement from MySql to Excel. Formatting date to YYYYMMDD PHP MySQL custom blog, formatting post formatting datetime from mysql in php PHP Post from Mysql html Select dropdown box select multiple rows from mysql and sent to jquery post function in php MySQL SELECT from PHP Select From MySQL PHP PHP: formatting a date from mySQL to be date only Formatting JSON in PHP from MySQL array for JQPlot
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM