[英]Displaying Dynamic Results PHP mySQL
我在sql中选择列名称作为Value而不是名称本身时遇到问题。
因此,例如返回的结果显示
SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id WHERE ll_project.project_id = BSKYB5555
Unknown column 'BSKYB5555' in 'where clause'
从以下代码
$pid = $_POST['project_id'] ;
$psize = $_POST['projectSize'] ;
$pdepts = $_POST['depts'] ;
$lstage = $_POST['stage'] ;
$ltype = $_POST['type'] ;
$impacted = $_POST['impacted'] ;
//Your columns in the DB
$columns = array('project_id'=>'ll_project.project_id','projectSize'=>'ll_project.size','depts'=>'ll_project.deptartment','stage'=>'ll_lessons.stage','type'=>'ll_lessons.type','impacted'=>'impacted');
$sqlString = null;
echo "Total Number Of Captured Post Variables is:";
echo count($_POST);
echo '<br />';
$number = 0;
$queryStr = "";
$preStr = array();
foreach ($_POST as $key => $val ) {
if (!empty($_POST[$key])){
if(!is_array($_POST[$key]))
$currentStr = $columns[$key]." = ".$val;
else
$currentStr = $columns[$key]." IN (".implode(',',$_POST[$key]).")";
$preStr[] = $currentStr;
}
}
$queryStr = "SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id WHERE ".implode(' AND ',$preStr);
echo $queryStr;
echo '<br />';
if($number ==1) {
}else{
}
$result = mysql_query($queryStr) or die(mysql_error());
while($row = mysql_fetch_assoc($result)) {
echo ' <tr>
<td>'.$row['project_name'].' </td>
<td>'.$row['project_id']. '';
}
我在做什么错,为什么这会取值作为列名?
在查询值周围添加引号
SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id WHERE ll_project.project_id = "BSKYB5555"
由于没有引号,因此不会将其视为字符串
编辑
不幸的是,由于没有注释,因此代码和逻辑有点难以遵循
您可以尝试更换
$currentStr = $columns[$key]." = ".$val;
同
$currentStr = $columns[$key]." = '".mysql_real_escape_string($val)."'";
这应该可以解决您的问题,并通过直接在查询中使用用户输入来消除当前存在的sql注入漏洞。
如果在查询中使用字符串,则必须将其括起来
SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id WHERE ll_project.project_id = 'BSKYB5555'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.