带有 PHP 变量的 MySQL 查询问题 [英] MySQL query with PHP variables Issues

问题描述

我已经搜索了诸如 stackoverflow 之类的东西来寻找答案，但似乎没有什么对我有用.我在/var/log/apache2/error_log 中没有收到任何错误，所以它在语法上似乎是正确的.

I've scoured the likes of stackoverflow looking for answers, and nothing seems to be working for me. I'm not getting any errors in the /var/log/apache2/error_log, so it seems to be syntactically correct.

我正在制作一个功能页面，该页面将从输入表单中获取数据，并根据用户填写的内容将其插入到数据库中以进行更新.当我在 mysql CLI 上运行查询时，它会很好地更新它，但是当我运行它时它在页面中不起作用.

I'm making a function page that will take the data from an input form and insert it into the database based on what was filled out by the user to be updated. When I run the query at the mysql CLI it updates it just fine, but it will not work in the page when I run it.

我设置了多个查询，它们仅根据信息是否已填写运行，这是一个示例，就好像用户想要更新他们的名字一样.

I have multiple queries set up, and they only run based on if the information was filled out, here is an example as if the user wanted to update their first name.

最重要的是，这恰好将人输入的单词转换为 PHP 变量，

Up top this happens to turn the words the person entered into PHP variables,

$first_name = htmlentities($_POST["first"], ENT_QUOTES);

它还通过以下方式从用户的登录信息中获取用户 ID:

It also gets the person's user ID from their login information via:

$user_id = $_SESSION['login_info']['user_id'];

然后，这是它检查实体是否为空的地方，如果不是，则运行查询.

Then after that this is where it checks to see if the entity is empty, if it isn't it runs the query.

if ($first_name != "") {
    $result = $dbact->interact("UPDATE person SET first_name = ".$first_name." WHERE idperson = ".$user_id, true);
}

$result 存储查询的输出，因为我正在调用如下所示的交互函数:

The $result is storing the output of the query, because I'm calling my interact function which looks like this:

public function interact($query,$resultVal) {
    $db = new mysqli("localhost","username","password","calendar");

    if ($db->connect_errno) {
        echo "Failed to connect to MySQL: (" . $db->connect_errno . ") " . $db->connect_error;
    }

    if(!$db) {
        echo "Error: Could not acces database in mySQL";
        exit;
    }

    //Running the query and returning the result based on $resultVal
    if($resultVal) {
        $result = $db->query($query);

        return $result;
    }

    else {
        $db->query($query);
    }
}

这一定是我的语法有问题，我连接错了吗?这可能只是我忽略的东西，但我很乐意提供意见.

It must be something with my syntax, am I concatenating something wrong? It might just be something I'm overlooking, but I would love to have the input.

感谢大家的时间.

推荐答案

您的字符串值缺少引号:

You're missing quotes around your string value:

$result = $dbact->interact("UPDATE person SET first_name = ".$first_name." WHERE idperson = ".$user_id, true);
                                                         ^^^^^^^^^^^^^^^^^^^
                                                                HERE

应该是:

$result = $dbact->interact("UPDATE person SET first_name = '".$first_name."' WHERE idperson = ".$user_id, true);

仅供参考，htmlentities()不能保护您免受 SQL 注入.您的代码易受攻击.

FYI, htmlentities() does not protect you against SQL injections. Your code is vulnerable.

这篇关于带有 PHP 变量的 MySQL 查询问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！