在查询字符串中注入变量时,选择返回空结果

时间:2014-11-03 12:04:05

标签: php python mysql

我尝试以下PHP代码:

$db = mysql_connect('localhost', 'root','');

mysql_select_db('mydatabase',$db);
$sql = 'SELECT id from user where name = \''.$my_name.'\'';
//$sql = 'SELECT id from user where name=\'Some Name \'';

echo $sql.'<br>';
$req=  mysql_query($sql) or die('Erreur SQL !<br>'.$sql.'<br>'.mysql_error()); 
$data = mysql_fetch_assoc($req);
mysql_close();
if($data) {
    echo 'id from database= '.$data['id'].'<br>';
    $id = $data['id'];
}

但它永远不会进入if($data)声明。 如您所见,我尝试打印sql请求;如果我将它复制粘贴到mysql数据库,它将返回预期的ID。

请注意,变量$ my_name不为空并且具有正确的数据。更奇怪的是,如果我取消注释该行:

//$sql = 'SELECT id from user where name=\'Some Name \'';

它有效,$my_name中的数据是“Some Name”......

我在我的代码中提出了其他请求,所有工作正常,除了这个。

最后注意:该变量取自extern python脚本:

$command = escapeshellcmd('python /var/my_script.py '.$id_for python);
$my_name = shell_exec($command);
echo htmlspecialchars($my_name).'<br>';

因此,从python脚本返回数据并在mysql请求中使用它之间似乎是一些错误......

修改

实际上它应该是python脚本的问题。我甚至无法从python中插入数据库:

import operator
import sys
import MySQLdb
from BeautifulSoup import BeautifulSoup, Comment, BeautifulStoneSoup
bugs = ""
username = "username";
password = "passwd#";
display = Display(visible=0, size = (800, 600))
display.start()
driver=webdriver.Chrome()
driver.get('somesite')
driver.find_element_by_name('ctl00$contextHolder$Login_name').send_keys(username)
driver.find_element_by_name('ctl00$contextHolder$Login_password').send_keys(password)
driver.find_element_by_name('ctl00$contextHolder$LoginButton').click()
display = Display(visible=0, size = (800, 600))
display.start()
driver=webdriver.Chrome()
driver.get('somesite')
driver.find_element_by_name('ctl00$contextHolder$Login_name').send_keys(username)
driver.find_element_by_name('ctl00$contextHolder$Login_password').send_keys(password)
driver.find_element_by_name('ctl00$contextHolder$LoginButton').click()

try:
    driver.get('https://somesite/SearchTicketPr.aspx')
    driver.find_element_by_name('ctl00$MainContent$SearchTickets$TB_TicketId').send_keys(sys.argv[1])
    driver.find_element_by_name('ctl00$MainContent$SearchTickets$B_Search').click()
    soup = driver.find_element_by_xpath("//*").get_attribute("outerHTML")
    reporter = soup.split('ctl00_MainContent_DG_TicketList_ctl03_L_EscalationFlg">')[1].split('</td><td>')[4]

    # We need to insert the reporter and mantis id directly in database
    #For Linux, this is a casual package (python-mysqldb). (You can use sudo apt-get install python-mysqldb in command line to download.)
    db = MySQLdb.connect(host="localhost", # your host, usually localhost
                     user="root", # your username
                      passwd="", # your password
                      db="myDB") # name of the data base

    # you must create a Cursor object. It will let
    #  you execute all the queries you need
    cur = db.cursor() 
    sql_req= "INSERT INTO ticket (number, username) VALUES ('" + sys.argv[1] + "', '" + reporter + "')"
    print sql_req
    # Use all the SQL you like
    cur.execute(sql_req)

    print reporter
<pre> <code> 
except:
    driver.quit()
    display.stop()
    raise

这会正确打印报告的变量,打印的sql请求也打印得很好。没有错误消息,但数据未插入数据库中。

编码可能有问题吗?

2 个答案:

答案 0 :(得分:0)

试试这个:

...

$sql = "SELECT id from user where name = '".$my_name."'";

...

如果第一行因为$my_name var包含非法字符或类似内容而给出错误,则应在使用sql请求发送之前对其进行验证。

答案 1 :(得分:0)

这是因为您的查询有误,请更改此信息:

 $sql = 'SELECT id from user where name = \''.$my_name.'\'';

要:

 $sql = "SELECT id from user where name = '$my_name'";
相关问题
最新问题