$insertQuery = "INSERT INTO appointment
(appointmentID
, doctorid
, appointmentDate
, symptoms
, patientid
, time
)
SELECT '" . $id . "'
, n.doctorid
, '" . $date . "'
, '". $symptoms ."'
, p.patientid
FROM (SELECT e.doctorid
FROM doctors e
WHERE e.doctorName LIKE '" . $docName . "'
LIMIT 1
) d
CROSS
JOIN (SELECT q.patientid
FROM patient q
WHERE q.patientName LIKE '" . $nameOfUser ."'
LIMIT 1
) p ";
这种说法是主题到SQL注入。为了缓解这种情况,您需要转义包含在SQL文本中的“不安全”值,或者使用带有绑定占位符的准备好的语句。
假设你正在使用的mysqli接口的程序风格的功能,连接被命名为$con
$insertQuery = "INSERT INTO appointment
(appointmentID
, doctorid
, appointmentDate
, symptoms
, patientid
, time
)
SELECT '" . mysqli_real_escape_string($con, $id) . "'
, n.doctorid
, '" . mysqli_real_escape_string($con, $date) . "'
, '" . mysqli_real_escape_string($con, $symptoms) ."'
, p.patientid
FROM (SELECT e.doctorid
FROM doctors e
WHERE e.doctorName LIKE '" . mysqli_real_escape_string($con, $docName) . "'
LIMIT 1
) d
CROSS
JOIN (SELECT q.patientid
FROM patient q
WHERE q.patientName LIKE '" . mysqli_real_escape_string($con, $nameOfUser) ."'
LIMIT 1
) p ";
已准备语句会使用绑定的占位符代替文字:
$insertQuery = "INSERT INTO appointment
(appointmentID
, doctorid
, appointmentDate
, symptoms
, patientid
, time
)
SELECT ?
, n.doctorid
, ?
, ?
, p.patientid
FROM (SELECT e.doctorid
FROM doctors e
WHERE e.doctorName LIKE ?
LIMIT 1
) d
CROSS
JOIN (SELECT q.patientid
FROM patient q
WHERE q.patientName LIKE ?
LIMIT 1
) p ";
你定义'预约ID'与PRIMARY_KEY和AUTO_INCREMENT?如果是的话,你可以删除'约会ID'字段或设置为'空' – 2014-09-30 01:20:43
仍然没有成功。 – Gokigooooks 2014-09-30 01:45:17