使用PHP从mysql数据库中选择并回显单个字段 [英] select and echo a single field from mysql db using PHP

问题描述

我正在尝试从特定行中选择标题列

Im trying to select the title column from a particular row

$eventid = $_GET['id'];
$field = $_GET['field'];
$result = mysql_query("SELECT $field FROM `events` WHERE `id` = '$eventid' ");
echo $result;

我所得到的只是Resource id #19

我应该怎么做?什么是最好的方法?

How should i do this? What is best method?

推荐答案

$eventid = $_GET['id'];
$field = $_GET['field'];
$result = mysql_query("SELECT $field FROM `events` WHERE `id` = '$eventid' ");
$row = mysql_fetch_array($result);
echo $row[$field];

但是要小心sql注入，因为您直接在查询中使用$ _GET.注入的危险特别严重，因为没有数据库函数可以逃逸标识符.相反，您需要将该字段传递给白名单，或者(最好还是)在外部使用与列名不同的名称，并将外部名称映射到列名.无效的外部名称将导致错误.

but beware of sql injection cause you are using $_GET directly in a query. The danger of injection is particularly bad because there's no database function to escape identifiers. Instead, you need to pass the field through a whitelist or (better still) use a different name externally than the column name and map the external names to column names. Invalid external names would result in an error.

这篇关于使用PHP从mysql数据库中选择并回显单个字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！