显示动态结果PHP mySQL

时间:2013-05-15 08:15:04

标签: php mysql variables

我有一个问题,即sql将列名称作为Value而不是名称本身。

例如,返回的结果显示

SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id WHERE ll_project.project_id = BSKYB5555
Unknown column 'BSKYB5555' in 'where clause'

来自以下代码

$pid = $_POST['project_id'] ;
$psize = $_POST['projectSize'] ;
$pdepts = $_POST['depts'] ;
$lstage = $_POST['stage'] ;
$ltype = $_POST['type'] ;
$impacted = $_POST['impacted'] ;
//Your columns in the DB 
$columns = array('project_id'=>'ll_project.project_id','projectSize'=>'ll_project.size','depts'=>'ll_project.deptartment','stage'=>'ll_lessons.stage','type'=>'ll_lessons.type','impacted'=>'impacted'); 

$sqlString = null;
echo "Total Number Of Captured Post Variables is:";
echo count($_POST);
echo '<br />';

$number = 0;
$queryStr = ""; 
$preStr = array(); 
foreach ($_POST as $key => $val ) {

if (!empty($_POST[$key])){
       if(!is_array($_POST[$key]))
           $currentStr = $columns[$key]." = ".$val; 
       else
       $currentStr = $columns[$key]." IN (".implode(',',$_POST[$key]).")"; 
       $preStr[] = $currentStr; 
   }
 }
$queryStr = "SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id  WHERE ".implode(' AND ',$preStr);

echo $queryStr; 
echo '<br />';
if($number ==1) {
}else{
}

$result = mysql_query($queryStr) or die(mysql_error());
 while($row = mysql_fetch_assoc($result)) {
 echo ' <tr>
<td>'.$row['project_name'].' </td>
<td>'.$row['project_id']. ''; 
 }

我做错了什么,为什么这会将值作为列名?

2 个答案:

答案 0 :(得分:4)

在查询值周围添加引号

SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id WHERE ll_project.project_id = "BSKYB5555"

由于没有引用,它不会将其视为字符串

修改

不幸的是,代码和逻辑有点难以理解,因为没有评论

您可以尝试替换

$currentStr = $columns[$key]." = ".$val; 

$currentStr = $columns[$key]." = '".mysql_real_escape_string($val)."'"; 

这可以解决您的问题,并通过直接在查询中使用用户输入来删除您当前拥有的SQL注入漏洞。

答案 1 :(得分:0)

如果在查询中使用字符串,则必须将其包围

SELECT ll_project.project_id, ll_project.size, ll_lessons.lesson_title FROM ll_project INNER JOIN ll_lessons ON ll_project.project_id = ll_lessons.project_id WHERE ll_project.project_id = 'BSKYB5555'