PHP SQL查询中的变量

时间:2012-07-21 05:28:03

标签: php sql

这个脚本里面的变量根本不起作用,它让我疯狂,如果有人能提供帮助那就太棒了!

<?php 
$db = mysql_connect('HOST', 'USER', 'PASS') or die('Could not connect: ' . mysql_error()); 
mysql_select_db('DBNAME') or die('Could not select database');

// Strings must be escaped to prevent SQL injection attack. 
$name = mysql_real_escape_string($_GET['name'], $db); 
$score = mysql_real_escape_string($_GET['score'], $db); 
$QuestionN = mysql_real_escape_string($_GET['QuestionN'], $db);        
$hash = $_GET['hash']; 
$num = (int)$QuestionN;
$var1     = mysql_real_escape_string($_POST['var1']);   
$var2     = mysql_real_escape_string($_POST['var2']);           


$secretKey="SecretKey"; # Change this value to match the value stored in the client javascript below 

$real_hash = md5($name . $score . $secretKey); 
if($real_hash == $hash) { 
$query = mysql_query("UPDATE Quiz1 SET " . $var1 . " = (1 + ". $var1 .")". " WHERE Question = " . $var2);
//$query = mysql_query("UPDATE Quiz1 SET " . $score . " = (1 + ". $score .")". " WHERE Question = " . $QuestionN);
//$query = mysql_query("UPDATE Quiz1 SET A = (1 + A ) WHERE Question = 1 ");

    $result = mysql_query($query) or die('Query failed: ' . mysql_error()); 
} 
print($var1) ; 
?>

使用PDO清除了这一点,为需要它的人提供了更好的PHP实践代码。

<?php
        // Configuration
        $hostname = 'host';
        $username = 'user';
        $password = 'pass';
        $database = 'DBNAME';
    //$score = 'A' ; 

        $name = $_GET['name']; 
        $score = $_GET['score']; 
    $QuestionN = $_GET['QuestionN'];   
        $table = $_GET['table'];
$hash = $_GET['hash']; 
    $num = (int)$QuestionN;
        $secretKey="SecretKey"; # Change this value to match the value stored in the client javascript below 

        $real_hash = md5($name . $score . $secretKey); 
       // if($real_hash == $hash) { 



        try {
            $conn = new PDO('mysql:host='. $hostname .';dbname='. $database, $username, $password);
    echo "Connected to database"; // check for connection
    //$dbh->exec("UPDATE Quiz1 SET $score = 1 WHERE Question = 1");  // THIS DOES NOT  
    //$dbh->exec("UPDATE Quiz1 SET B = 1 WHERE Question = 1"); // THIS WORKS
$conn->exec("SET CHARACTER SET utf8");      // Sets encoding UTF-8
//$score = 'A';
//$scoreB = 'A'; 
//14
$author = 'Imanda';
//15
//$id = 1 ;
//16
// query
//$table = 'Quiz1';
//17
$sql = "UPDATE $table 

        SET $score = ( 1 + $score)

        WHERE Question = ?  "  ;
//20
$q = $conn->prepare($sql);
//21
$q->execute(array($QuestionN));




    //AddScore($dbh,'Quiz1','A','1'); 



}
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
//  }
?>

2 个答案:

答案 0 :(得分:1)

你在两个地方使用mysql_query,它应该只在一个地方。

$query = mysql_query("UPDATE Quiz1 SET " . $var1 . " = (1 + ". $var1 .")". " WHERE Question = " . $var2);

    $result = mysql_query($query) or die('Query failed: ' . mysql_error()); 
} 

$query = "UPDATE Quiz1 SET " . $var1 . " = (1 + ". $var1 .")". " WHERE Question = " . $var2;
    $result = mysql_query($query) or die('Query failed: ' . mysql_error()); 
} 

答案 1 :(得分:0)

请务必查看MySQL文档以帮助您完成任务。

mysqli http://php.net/manual/en/book.mysqli.php

PDO http://php.net/manual/en/book.pdo.php