簡單的mysql_query這裏是我的代碼:與WHERE子句失敗
<p>Select application status to view.</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<select name="type" style="width:100px;">
<option name="New">New</option>
<option name="Approved">Approved</option>
<option name="Denied">Denied</option>
<option name="In Training">In Training</option>
<option name="Passed">Passed</option>
<option name="Retrained">Retrained</option>
<option name="Failed">Failed</option>
<option name="Placed">Placed</option>
</select>
<input type="submit" value="Go" />
</form>
<?php if (!isset($_POST['type'])):
$newapps = mysql_query('SELECT aid, status, Day, Dte, Month, Year, email, Character_Name FROM applications WHERE status LIKE "New"'); ?>
<table>
<tr>
<td><strong>ID</strong></td>
<td><strong>Status</strong></td>
<td><strong>Date Submitted</strong></td>
<td><strong>E-mail</strong></td>
<td><strong>Character Name</strong></td>
</tr>
<?php while ($newapp = mysql_fetch_array($newapps))
{
$aid = $newapp['aid'];
$status = $newapp['status'];
$day = $newapp['Day'];
$date = $newapp['Dte'];
$month = $newapp['Month'];
$year = $newapp['Year'];
$email = $newapp['email'];
$name = $newapp['Character_Name'];
echo "<tr><td>$aid</td><td>$status</td><td>$day, $month $date $year</td><td>$email</td><td>$name</td></tr>\n";
}
?>
</table>
<?php else:
$query1 = "SELECT aid, status, Day, Dte, Month, Year, email, Character_Name FROM applications WHERE status LIKE '{$_POST['type']}'";
$result = mysql_query('$query1') or die(mysql_error());
?>
<table>
<tr>
<td><strong>ID</strong></td>
<td><strong>Status</strong></td>
<td><strong>Date Submitted</strong></td>
<td><strong>E-mail</strong></td>
<td><strong>Character Name</strong></td>
</tr>
<?php while ($applist = mysql_fetch_array($result))
{
$aid = $applist['aid'];
$status = $applist['status'];
$day = $applist['Day'];
$date = $applist['Dte'];
$month = $applist['Month'];
$year = $applist['Year'];
$email = $applist['email'];
$name = $applist['Character_Name'];
echo "<tr><td>$aid</td><td>$status</td><td>$day, $month $date $year</td><td>$email</td><td>$name</td></tr>\n";
}
?>
</table>
<?php endif; ?>
當我加載網頁,它不拉「新」應用程序正常。但是,當我運行查詢拉起,例如,批准的應用程序,我得到這個錯誤:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$query1' at line 1
任何想法我失蹤?
永遠不要將POST變量直接放到SQL查詢中。我建議您仔細閱讀以下內容:http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=php+input+sanitization – keithjgrant 2011-02-05 00:40:39
...以及使用PDO對象時的獎勵積分:http ://www.php.net/manual/en/class.pdo.php – keithjgrant 2011-02-05 00:42:27