我有一个数据库表。我想创建一个文本输入,用户可以在其中输入“uid”,查询将返回与该 uid 关联的行。
假设我有这样的东西:
$query = "SELECT name,age FROM people WHERE uid = '2' LIMIT 0,1";
$result = mysql_query($query);
$res = mysql_fetch_assoc($result);
echo $res["age"];
我如何将该查询修改为类似..
SELECT name, age
FROM people
WHERE uid = $_POST['blahblah'] LIMIT 0,1
在此先感谢您的帮助!
事实上...
// Read input from $_POST
$uid = (isset($_POST['uid']) ? $_POST['uid'] : '');
// Build query. Properly escape input data.
$query =
"SELECT name,age " .
"FROM people " .
"WHERE uid = '" . mysql_real_escape_string($uid) . "' " .
"LIMIT 0,1";
出于安全原因,建议对变量中的字符进行转义。看一下这个文档,有几个原因:
http://en.wikipedia.org/wiki/SQL_injection http://en.wikipedia.org/wiki/SQL_injection
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)