PHP 和 SQL 语法问题 [英] PHP and SQL syntax issue

问题描述

我遇到了一些(应该很简单)代码的问题.我正在从表单中获取信息并尝试在数据库中回显与表单规范匹配的条目.我认为我的 HTML 是正确的，我的问题在于 PHP.这是我需要帮助的代码:

I am having problems with a (should be simple) bit of code. I am getting info from a form and trying to echo out an entry/ies in a database that match the form specifications. I think that my HTML is correct, and my problem lies in the PHP. Here is my code that I need help with:

<?php
    $submit = @$_POST['submit'];
    $gender = $_POST['gender'];
    $hair = $_POST['hair'];
    $height = $_POST['height'];
    $body = $_POST['body'];

    if ($submit){
        //open database
        $connect = mysql_connect("xxxx", "xxxx", "xxxx") or die("Couldnt Connect to Server");
        mysql_select_db("xxxx") or die("Couldnt find database"); 

        $query = mysql_query("SELECT * FROM `table` WHERE `gender`='$gender' AND `hair`='$hair' AND `height`='$height' AND `body`='$body'");
        $query_run = mysql_query($query);

        if ($query_run = mysql_query($query)) {
            while ($query_row = mysql_fetch_assoc($query_run)) {
                $pic = $query_row['picture'];
            };
        };
    };

?>

这是一个自提交页面

.稍后在空白处的页面下方是我要回显 $pic 的地方.

This is a self submitting page <form action='thispage.php' method='post'>. Later down the page in the empty space is where I am going to echo $pic.

这种方法是否正确/最好的方法?如果需要，我会发布整个页面的代码.现在只有 75 行.

Is this method correct/the best way to do it? If need be, I will post the code for the entire page. It is only 75 lines right now.

在我被告知我应该使用 SQLi 之前，这更多是现在的概念证明，更重要的是我不知道如何从 SQL 更改为 SQLi.

And before I am told that I should be using SQLi, this is more of a proof of concept right now, and more importantly I don't know how to make the changes from SQL to SQLi.

在表单中，只有选项，没有文本输入(如果重要的话)

edit: Within the form, there are only options, not text input (if that matters)

推荐答案

这是我将如何使用现代库来做到这一点

Here's how I would do it using modern libraries

// check that all required POST parameters are present
if (isset($_POST['submit'], $_POST['gender'], $_POST['hair'], $_POST['height'],
    $_POST['body'])) {

    // create DB connection
    $pdo = new PDO('mysql:host=localhost;dbname=xxxx;charset=utf8',
        'xxxx', 'xxxx');

    // set error mode and use real prepared statements if possible
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

    // prepare an SQL statement with parameter placeholders
    // I changed the * to just `picture` as that's all you were using in your OP
    $stmt = $pdo->prepare('SELECT `picture` FROM `table` WHERE `gender` = ? AND `hair` = ? AND `height` = ? AND `body` = ?');

    // execute with the POST parameters
    $stmt->execute(array(
        $_POST['gender'],
        $_POST['hair'],
        $_POST['height'],
        $_POST['body']
    ));

    // load all "picture" results into an array
    $pics = array();
    while ($pic = $stmt->fetchColumn()) {
        $pics[] = $pic;
    }
}

这篇关于PHP 和 SQL 语法问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！