我的问题是我的函数返回null值并且不执行我的查询
function getUsers($username,$fields = '*')
{
$db_host = "localhost";
$db_user = "root";
$db_pass = "";
$db_name = 'filemanagerusers';
$connection = new mysqli($db_host,$db_user,$db_pass,$db_name);
////////////////////////////////////////////////////////////////
$query = "select $fields from users where username=".$username;
$result = $connection->query($query);
$customers = mysqli_fetch_assoc($result);//etelaate user dar ghalebe yek array be ma barmigarde
return $customers;
}
答案 0 :(得分:2)
针对您的快速 不安全 修复程序(但 由于 SQL而不是 首选 注射 ): -
$query = "select $fields from users where username= '$username'";
注意: - 用引号括起$username以使其成为字符串。
首选方式: -
始终使用 prepared statements 的 mysqli_* 来阻止 SQL Injection ,如下所示: - 的
function getUsers($username,$fields = '*')
{
$db_host = "localhost";
$db_user = "root";
$db_pass = "";
$db_name = 'filemanagerusers';
$connection = mysqli_connect(($db_host,$db_user,$db_pass,$db_name);
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
if ($stmt = mysqli_prepare($connection, "SELECT $fields FROM users where username=?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "s", $username);
/* execute query */
mysqli_stmt_execute($stmt);
/* bind result variables */
mysqli_stmt_bind_result($stmt, $customers);
/* close statement */
mysqli_stmt_close($stmt);
/* return result*/
return $customers;
}
}