我可以使用isset()来控制mysql查询

时间:2016-04-27 03:58:42

标签: php mysql isset

我创建了一个可编辑的数据库,以帮助我自动化每周成员更新。每个成员每周更新9个值,这些值由$ _POST提交到辅助php控制。

从那个php,post值设置为php var,然后用于UPDATE sql db。 

mysql_select_db("web_footy1") or die(mysql_error());




// The SQL statement is built
$strSQL = "UPDATE Round_6 SET "; 

$strSQL = $strSQL . "Game1= '$Game1', ";

$strSQL = $strSQL . "Game2= '$Game2', "; 

$strSQL = $strSQL . "Game3= '$Game3', "; 

$strSQL = $strSQL . "Game4= '$Game4', "; 

$strSQL = $strSQL . "Game5= '$Game5', "; 

$strSQL = $strSQL . "Game6= '$Game6', "; 

$strSQL = $strSQL . "Game7= '$Game7', "; 

$strSQL = $strSQL . "Game8= '$Game8', "; 

$strSQL = $strSQL . "Game9= '$Game9' "; 

$strSQL = $strSQL . "WHERE  Member = '$Member' "; 

// The SQL statement is executed 
mysql_query($strSQL) or die(mysql_error()) ;

是的,我知道这是受SQL注入的,它是一个私有站点,因此安全性可以等待atm

问题是所有值都是同时更新的,要更新一个值,您需要重新输入所有值,否则它们将替换为空值。

所以我的问题是双重的。  A)能够分别控制每个变量的最简洁方法是什么, B)我可以,如果是这样,如何使用isset($ GameX)来控制执行哪些查询。

例如

IF (isset($Game1)) {UPDATE Round6 SET Game1='$Game1' WHERE Member='$Member'} ;

请记住,3个星期前我对编码一无所知,并且在那个时候发生了html,php和sql的崩溃......干杯

1 个答案:

答案 0 :(得分:1)

真的非常不能建议你 FIX 你的SQL注入。

话虽如此,您可以以编程方式为UPDATE子句添加条件。 一个示例可能是以下代码段:

<?php

$Game3 = "things";
$Game5 = "stuff";
$Game6 = "awesome";
$Member = 'ben';

$update_parts = array();
for ($game_counter = 1; $game_counter < 10; $game_counter++) {
    $variable_name = "Game" . $game_counter;
    if ( isset($$variable_name) ) { // This is like isset($Game1)
        $update_parts[] = "Game" . $game_counter . " = '" . $$variable_name . "'";
    }
}

if ( sizeof($update_parts) > 0 ) {
    $strSQL = "UPDATE Round_6 SET ";
    $strSQL .= implode(", ", $update_parts);
    $strSQL .= " WHERE Member = '$Member'";
    echo $strSQL;
}

我在那里放了几个变量。这会产生以下SQL:

UPDATE Round_6 SET Game3 = 'things', 
  Game5 = 'stuff', Game6 = 'awesome' WHERE Member = 'ben'

编辑:如果要使用PDO,则需要分隔查询和参数。在下面的示例中,我将查询参数放在

$conn = new PDO("mysql:host=localhost;dbname=database;","username","password"); // Your Connection String

$update_parts = array();
$query_params = array();
for ($game_counter = 1; $game_counter < 10; $game_counter++) {
    $variable_name = "Game" . $game_counter;
    if ( isset($$variable_name) ) { // This is like isset($Game1)
        $update_parts[] = "Game" . $game_counter . " = ?";
        $query_params[] = $$variable_name;
    }
}

if ( sizeof($update_parts) > 0 ) {
    $strSQL = "UPDATE Round_6 SET ";
    $strSQL .= implode(", ", $update_parts);
    $strSQL .= " WHERE Member = ?";
    $query_params[] = $Member;

    // Here is where you'd run the update
    $stmt = $conn->prepare($strSQL);
    $stmt->execute($query_params); // Notice I'm passing in the parameters separately
}
相关问题
最新问题