返回NULL THST執行查詢

Question

我的問題是我的函數返回空值，並且不執行我的查詢

function getUsers($username,$fields = '*') 
{ 
    $db_host = "localhost"; 
    $db_user = "root"; 
    $db_pass = ""; 
    $db_name = 'filemanagerusers'; 
    $connection = new mysqli($db_host,$db_user,$db_pass,$db_name); 
    //////////////////////////////////////////////////////////////// 
    $query = "select $fields from users where username=".$username; 
    $result = $connection->query($query); 
    $customers = mysqli_fetch_assoc($result);//etelaate user dar ghalebe yek array be ma barmigarde 
    return $customers; 
} 

Answer 1

快速不安全修復你（但不最好由於SQL注入）： -

$query = "select $fields from users where username= '$username'"; 

注意： - 用引號括起$username使其成爲字符串。

的首選方法： -

始終使用prepared statements的mysqli_*防止SQL Injection象下面這樣： -

function getUsers($username,$fields = '*') 
{ 
    $db_host = "localhost"; 
    $db_user = "root"; 
    $db_pass = ""; 
    $db_name = 'filemanagerusers'; 
    $connection = mysqli_connect(($db_host,$db_user,$db_pass,$db_name); 
    /* check connection */ 
    if (mysqli_connect_errno()) { 
     printf("Connect failed: %s\n", mysqli_connect_error()); 
     exit(); 
    } 
    if ($stmt = mysqli_prepare($connection, "SELECT $fields FROM users where username=?")) { 

     /* bind parameters for markers */ 
     mysqli_stmt_bind_param($stmt, "s", $username); 

     /* execute query */ 
     mysqli_stmt_execute($stmt); 

     /* bind result variables */ 
     mysqli_stmt_bind_result($stmt, $customers); 


     /* close statement */ 
     mysqli_stmt_close($stmt); 

     /* return result*/ 

     return $customers; 
    } 
}