Question

我的PHP文件包含以下功能。当我将审核列设置为'$review'而IdUser设置为2时，它可以正常工作。但我需要将IdUser设置为变量$user。将IdUser设置为变量而不是常量的正确语法是什么？（最好以避免SQL注入攻击的方式）。

function addRatings2($review, $user) {  
    //try to insert a new row in the "ratings" table with the given UserID
    $result = query("UPDATE ratings SET review ='$review' WHERE IdUser = 2 order by dateTime desc limit 1");    
}

Answer 1

正确的语法是使用

{$var}无论您希望var的当前值出现在哪里，所以在您的情况下它将是

$result = query("UPDATE ratings SET review ='{$review}' WHERE IdUser = {$user}
order by dateTime desc limit 1");

Answer 2

//抗注射

$ user =（int）$ user;

$ review = mysql_real_escape_string（$ result）; // mysqli_real_escape_string会更好

$ result = query（“UPDATE rating SET review ='$ review'WHERE IdUser = $ user order by dateTime desc limit 1”）;

Answer 3

您必须使用单引号作为字符串，但您不需要为整数

query("UPDATE ratings SET review ='$review' WHERE IdUser = $user order by dateTime desc limit 1");

Answer 4

试试这个。 function addRatings2($review, $user) {



$review = mysql_real_escape_string($review);

$user = (int)$user 

$result = query("UPDATE ratings SET review ='$review' WHERE IdUser = $user order by        dateTime desc limit 1");

$result = query("UPDATE ratings SET review ='$review' WHERE IdUser = $user order by dateTime desc limit 1");

PHP mySQL查询使用变量更新表中的行

4 个答案: