使用select语句和php变量插入到MySQL

Question

我看起来像这样。它应该插入这些值，但我不能让ID的由php插入。我无法得到正确的语法，请帮助。

---

$insertQuery = "insert into appointment (appointmentID, doctorid, appointmentDate, symptoms, patientid, time) 
    values($id,(select doctorid from doctors where doctorName like '$docName'),$date,$symptoms, 
    (select patientid from patient where patientFName like '$nameOfUser'),$time)"; 

---

我得到一个无效的查询错误，但是当我vardump THES变量($docName, $id, $nameOfUser)他们变成是在正确的格式。我已经尝试在MySQL表中手动输入，并且它已成功插入。

Answer 1

首先，您通过使用(select patientid from patient where patientFName like '$nameOfUser')来选择已经使用的ID而犯了一个错误。我建议patientid是主键和整数数据类型。

当您创建一个表。使用此语法使其自动增加：

CREATE TABLE example (
    id MEDIUMINT NOT NULL AUTO_INCREMENT, 
    name CHAR(30) NOT NULL, 
    PRIMARY KEY (id) 
) ENGINE=MyISAM; 

而当您插入表中时，您不必插入id。数据库引擎会自动计算最后一个ID。

INSERT INTO example(name)values('example'); 

但是！如果你已经不auto_increment命令创建这个表，你必须使用这个表“太远”，只要使用此解决方案：

mysql_connect('your host','database user','password'); 
mysql_select_db('your database name'); 
$query=mysql_query('SELECT MAX(patientid) FROM yourtable;'); 
$read_id = mysql_fetch_row($query)); 
$next_id = $read_id[0] + 1; 
$query = mysql_query('INSERT INTO yourtable(patientid)values('.$next_id.');'); 

欲了解更多信息，了解它here

Answer 2

$insertQuery = "INSERT INTO appointment 
    (appointmentID 
    , doctorid 
    , appointmentDate 
    , symptoms 
    , patientid 
    , time 
    ) 
SELECT '" . $id . "' 
    , n.doctorid 
    , '" . $date . "' 
    , '". $symptoms ."' 
    , p.patientid 
    FROM (SELECT e.doctorid 
      FROM doctors e 
      WHERE e.doctorName LIKE '" . $docName . "' 
      LIMIT 1 
     ) d 
CROSS 
    JOIN (SELECT q.patientid 
      FROM patient q 
      WHERE q.patientName LIKE '" . $nameOfUser ."' 
      LIMIT 1 
     ) p "; 

这种说法是主题到SQL注入。为了缓解这种情况，您需要转义包含在SQL文本中的“不安全”值，或者使用带有绑定占位符的准备好的语句。

假设你正在使用的mysqli接口的程序风格的功能，连接被命名为$con

$insertQuery = "INSERT INTO appointment 
    (appointmentID 
    , doctorid 
    , appointmentDate 
    , symptoms 
    , patientid 
    , time 
    ) 
SELECT '" . mysqli_real_escape_string($con, $id) . "' 
    , n.doctorid 
    , '" . mysqli_real_escape_string($con, $date) . "' 
    , '" . mysqli_real_escape_string($con, $symptoms) ."' 
    , p.patientid 
    FROM (SELECT e.doctorid 
      FROM doctors e 
      WHERE e.doctorName LIKE '" . mysqli_real_escape_string($con, $docName) . "' 
      LIMIT 1 
     ) d 
CROSS 
    JOIN (SELECT q.patientid 
      FROM patient q 
      WHERE q.patientName LIKE '" . mysqli_real_escape_string($con, $nameOfUser) ."' 
      LIMIT 1 
     ) p "; 

已准备语句会使用绑定的占位符代替文字：

$insertQuery = "INSERT INTO appointment 
    (appointmentID 
    , doctorid 
    , appointmentDate 
    , symptoms 
    , patientid 
    , time 
    ) 
SELECT ? 
    , n.doctorid 
    , ? 
    , ? 
    , p.patientid 
    FROM (SELECT e.doctorid 
      FROM doctors e 
      WHERE e.doctorName LIKE ? 
      LIMIT 1 
     ) d 
CROSS 
    JOIN (SELECT q.patientid 
      FROM patient q 
      WHERE q.patientName LIKE ? 
      LIMIT 1 
     ) p ";