1. 首页
  2. 问答
  3. 如何在mysql查询中使用循环生成的php变量

如何在mysql查询中使用循环生成的php变量

2017-04-10 18 views
1

我需要一点帮助。请问如何将PHP值“$ filtr_zamestnanci_ID”添加到sql_query中。代码在这里:如何在mysql查询中使用循环生成的php变量

<?php 
if (isset($_POST["filtr_zamestnanci_ID"])) { 
    for ($a = 0; $a < count($_POST["filtr_zamestnanci_ID"]); $a++) { 
     $filtr_zamestnanci_ID .="AND companies_text_records_user_ID = '".$_POST["filtr_zamestnanci_ID"][$a]."'&nbsp;"; 
    } 
}else { 
    $filtr_zamestnanci_ID = ""; 
} 

echo "filtr_zamestnanci_ID :".$filtr_zamestnanci_ID; 

mysql_query("SET CHARACTER SET utf8"); 
$sql_1 = 
    mysql_query("SELECT * FROM companies_text_records 
     LEFT JOIN companies ON companies_text_records_company_ID = company_ID 
     LEFT JOIN login_users ON user_id = companies_text_records_user_ID 
     WHERE companies_text_records_relative_to = '0' 
     '".$filtr_zamestnanci_ID."' 
     ORDER BY companies_text_records_ID DESC"); 
?>

如果我通过它没有循环一切都OK。但循环输出根本不起作用。也许在格式为“$ filtr_zamestnanci_ID”?

来源

2017-04-10 TOSM-1

+3

FYI,[则不应使用'mysql_ *'功能在新代码中](http://stackoverflow.com/questions/12859942/)。他们不再被维护[并被正式弃用](https://wiki.php.net/rfc/mysql_deprecation)。看到[红盒](http://php.net/manual/en/function.mysql-connect.php)?学习[*准备的语句*](https://en.wikipedia.org/wiki/Prepared_statement),并使用[PDO](http://php.net/pdo)或[MySQLi](http:// php.net/mysqli) - [这篇文章](http://php.net/manual/en/mysqlinfo.api.choosing.php)将帮助你决定哪一个最适合你。 –

+3

你的脚本存在[SQL注入攻击]的风险(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)看看发生了什么事[Little鲍比表](http://bobby-tables.com/)即使[如果你逃避投入,它不安全!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around -mysql-real-escape-string)使用[prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)。 –

+0

将mysql_query放入循环中... –

回答

1

请尝试以下操作。也将解决你的SQL注入的问题:

<?php 
    $conn = new PDO("mysql:host=$hostname;dbname=$db_name;charset=utf8mb4", $db_username, $db_password); 
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 

if (isset($_POST["filtr_zamestnanci_ID"])) { 
    for ($a = 0; $a < count($_POST["filtr_zamestnanci_ID"]); $a++) { 
     $filtr_zamestnanci_ID = $_POST["filtr_zamestnanci_ID"][$a]; 

     $stmt = $conn->prepare("SELECT * FROM companies_text_records 
          LEFT JOIN companies ON companies_text_records_company_ID = company_ID 
          LEFT JOIN login_users ON user_id = companies_text_records_user_ID 
         WHERE companies_text_records_relative_to = '0' 
         AND companies_text_records_user_ID = :company_text_records_user_id 
         ORDER BY companies_text_records_ID DESC"); 

     if ($stmt->execute(array(':company_text_records_user_id' => $filtr_zamestnanci_ID))) { 
      while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { 
       $someField = $row['columnFromDatabase']; 
      } 
      echo 'success'; 
     } 
    } 
}else { 
    $filtr_zamestnanci_ID = ""; 
} 
?>

来源

2017-04-10 11:53:52

0

警告的mysql_query,mysql_fetch_array,的mysql_connect等扩展就被抛弃在PHP 5.5.0,它是PHP 7.0.0中删除。 应该使用MySQLi或PDO_MySQL扩展。

1)给出的空间之前AND

$filtr_zamestnanci_ID .=" AND companies_text_records_user_ID = '".$_POST["filtr_zamestnanci_ID"][$a]."'";

2)除去封闭对于额外添加的单引号where子句'".$filtr_zamestnanci_ID."'

"SELEC‌​T * FROM companies_text_records LEFT JOIN companies ON companies_text_records_company_ID = company_ID LEFT JOIN login_users ON user_id = companies_text_records_user_ID WHERE companies_text_records_relative_to = '0' ".$filtr_zamestnanci_ID." ORDER BY companies_text_records_ID DESC"

来源

2017-04-10 11:56:02 JYoThI

相关问题

 相关问题