[英]PHP and SQL syntax issue
我遇到了一些(应该很简单)的代码问题。 我从表单获取信息,并试图在数据库中回显与表单规范匹配的条目。 我认为我的HTML是正确的,而我的问题出在PHP。 这是我需要帮助的代码:
<?php
$submit = @$_POST['submit'];
$gender = $_POST['gender'];
$hair = $_POST['hair'];
$height = $_POST['height'];
$body = $_POST['body'];
if ($submit){
//open database
$connect = mysql_connect("xxxx", "xxxx", "xxxx") or die("Couldnt Connect to Server");
mysql_select_db("xxxx") or die("Couldnt find database");
$query = mysql_query("SELECT * FROM `table` WHERE `gender`='$gender' AND `hair`='$hair' AND `height`='$height' AND `body`='$body'");
$query_run = mysql_query($query);
if ($query_run = mysql_query($query)) {
while ($query_row = mysql_fetch_assoc($query_run)) {
$pic = $query_row['picture'];
};
};
};
?>
这是一个自我提交的页面<form action='thispage.php' method='post'>
。 稍后,在页面的空白处,我将回显$ pic。
此方法正确/最佳方法吗? 如果需要,我将发布整个页面的代码。 现在只有75行。
在被告知我应该使用SQLi之前,这现在只是一个概念证明,更重要的是,我不知道如何进行从SQL到SQLi的更改。
编辑:在表单中,只有选项,没有文本输入(如果有的话)
这就是我使用现代图书馆的方式
// check that all required POST parameters are present
if (isset($_POST['submit'], $_POST['gender'], $_POST['hair'], $_POST['height'],
$_POST['body'])) {
// create DB connection
$pdo = new PDO('mysql:host=localhost;dbname=xxxx;charset=utf8',
'xxxx', 'xxxx');
// set error mode and use real prepared statements if possible
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
// prepare an SQL statement with parameter placeholders
// I changed the * to just `picture` as that's all you were using in your OP
$stmt = $pdo->prepare('SELECT `picture` FROM `table` WHERE `gender` = ? AND `hair` = ? AND `height` = ? AND `body` = ?');
// execute with the POST parameters
$stmt->execute(array(
$_POST['gender'],
$_POST['hair'],
$_POST['height'],
$_POST['body']
));
// load all "picture" results into an array
$pics = array();
while ($pic = $stmt->fetchColumn()) {
$pics[] = $pic;
}
}
$query = mysql_query("SELECT * FROM `table` WHERE `gender`='$gender' AND `hair`='$hair' AND `height`='$height' AND `body`='$body'");
$query_run = mysql_query($query);
if ($query_run = mysql_query($query)) {
while ($query_row = mysql_fetch_assoc($query_run)) {
$pic = $query_row['picture'];
};
};
应该
$query = "SELECT * FROM `table` WHERE `gender`='$gender' AND `hair`='$hair' AND `height`='$height' AND `body`='$body'";
if ($query_run = mysql_query($query)) {
while ($query_row = mysql_fetch_assoc($query_run)) {
$pic = $query_row['picture'];
};
};
$ query = mysql_query (“ SELECT * FROM`table .........
$ query_run = mysql_query($ query); 额外
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.