$id1 = $_POST['number']; //here i am getting a php variable called number
$result = mysqli_query($con, "SELECT id,main FROM first WHERE ?how can i put that number right here?");
我使用ajax从另一个页面获取变量,我应该把它放到mysql命令中。我该怎么做?
答案 0 :(得分:1)
以下是使用预准备语句的示例:
/* Create a new mysqli object with database connection parameters */
$mysqli = new mysql('localhost', 'username', 'password', 'db');
if(mysqli_connect_errno()) {
echo "Connection Failed: " . mysqli_connect_errno();
exit();
}
/* Create a prepared statement */
if($stmt = $mysqli -> prepare("SELECT priv FROM testUsers WHERE username=?
AND password=?")) {
/* Bind parameters
s - string, b - blob, i - int, etc */
$stmt -> bind_param("ss", $user, $pass);
/* Execute it */
$stmt -> execute();
/* Bind results */
$stmt -> bind_result($result);
/* Fetch the value */
$stmt -> fetch();
echo $user . "'s level of priviledges is " . $result;
/* Close statement */
$stmt -> close();
}
/* Close connection */
$mysqli -> close();
我强烈建议您尽早研究准备好的陈述。
答案 1 :(得分:0)
选项1.很适合准备好的陈述
选项2。" SELECT id,main FROM first WHERE id = $ id"
当用双引号指定字符串时,会在其中解析变量。
答案 2 :(得分:0)
$result = mysqli_query($con, "SELECT id,main FROM first WHERE your_db_field = $id1");
OR
$result = mysqli_query($con, "SELECT id,main FROM first WHERE your_db_field = " . $id1 . ");
应该工作得很好。
但是,您应该考虑使用存储过程来避免任何安全漏洞......
答案 3 :(得分:-1)
//Get ur name from Post Request
$number=$_POST['number'];
$query="SLEECT * FROM TABLE_NAME WHERE colunm_name='$number"; (or)
$query="SLEECT * FROM TABLE_NAME WHERE colunm_name='".$number."'";
$result=mysql_query($con,$query)
//Using Prepared Statement
$stmt = $dbh->prepare("SELECT * FROM TABLE_NAME where COLUMN_NAME= ?");
if ($stmt->execute(array($_GET['number']))) {
while ($row = $stmt->fetch()) {<br />
print_r($row);<br />
}
}