我有以下聲明:如何將php變量插入到mysql查詢中?
SELECT bname,cnum,vnum, MATCH(vtext) AGAINST (''".$word."'') as relevance FROM kjv WHERE MATCH(vtext) AGAINST (''".$word."'') AND bnum='".$book."' ORDER by relevance DESC, bnum, cnum, vnum LIMIT 0,1");
返回空行,但如果我用替代硬編碼值的變量,一切順利通過。這些變量不是空的,我知道是因爲我將它們輸入框中後輸出到頁面。由於
嘗試
mysql_query("SELECT bname,cnum,vnum, MATCH(vtext) AGAINST($word) as relevance FROM kjv WHERE MATCH(vtext) AGAINST ($word) AND bnum='$book' ORDER by relevance DESC, bnum, cnum, vnum LIMIT 0,1");
這將是更好看多周圍的代碼,但我希望它是雙單引號引起的問題:
SELECT bname,cnum,vnum, MATCH(vtext) AGAINST ('".$word."') as relevance FROM kjv WHERE MATCH(vtext) AGAINST ('".$word."') AND bnum='".$book."' ORDER by relevance DESC, bnum, cnum, vnum LIMIT 0,1");
此答案解決了手頭的問題,但未能解決更緊迫的問題( SQL注入,使用參數化查詢的優點...)處理*那些*我會upvote :) –
Downvoted出於顯而易見的原因。請使用參數化查詢! – nietonfir
嘗試這樣的:
SELECT bname,cnum,vnum, MATCH(vtext) AGAINST ("$word") as relevance
FROM kjv WHERE MATCH(vtext) AGAINST ("$word") AND bnum= "$book"
ORDER by relevance DESC, bnum, cnum, vnum LIMIT 0,1");
嗨試試這個如果你已經保存了變量值。
SELECT bname,cnum,vnum, MATCH(vtext) AGAINST ('$word') as relevance FROM kjv WHERE MATCH(vtext) AGAINST ('$word') AND bnum='".$book."' ORDER by relevance DESC, bnum, cnum, vnum LIMIT 0,1");
無論您是否可以使用它,這種將字符串直接連接到SQL命令的方法都是非常不安全的。 *永遠不要*將輸入視爲代碼,並盲目地對數據庫執行。使用準備好的語句,將輸入視爲值而不是代碼:http://php.net/manual/en/mysqli.prepare.php – David