遇到问题从mysqli_query到mysqli_prepare

时间:2013-07-27 02:01:42

标签: php mysqli

我是PHP的新手,并创建了一个简单的php网站,允许我提交表单并删除存储在数据库中的数据。我被告知最好使用预准备语句来避免SQL注入。

我更新了我的删除,它仍然有效,不确定它是否完全正确:

<?php

include("dbconnect.php");

$getid = $_GET["id"];
$delete = mysqli_prepare($database,"DELETE FROM contacts WHERE id IN ($getid)");
mysqli_stmt_execute($delete);

header("Location:http://localhost/address-book");
exit;

?>

但我似乎无法使用数据库添加功能。我尝试了各种不同的方式来编写它,但我确信我错过了一些简单的东西。这是我最初编写的不安全代码:

<?php

if ($_SERVER["REQUEST_METHOD"] == "POST") {

include("inc/dbconnect.php");

// assigns form data to table columns
$assign = "INSERT INTO contacts(firstName,lastName,email,phone,birthday) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[email]','$_POST[phone]','$_POST[birthday]')";

//execute query
if (mysqli_query($database,$assign)) {
    header("Location:http://localhost/address-book/");
    exit;
} else {
    exit;
}

?>

如果有人可以指导我朝着正确的方向前进,我会感激不尽。我是所有这一切的新手。

更新:我已更新了我的原始代码,并提出了相应的删除功能: 

<?php

include("dbconnect.php");

$getid = $_GET["id"];
$delete = mysqli_prepare($database,"DELETE FROM contacts WHERE id IN (?)");
mysqli_stmt_bind_param($delete, 's', $getid);
mysqli_stmt_execute($delete);

header("Location:http://localhost/address-book");
exit;

?>

和添加功能: 

<?php

if ($_SERVER["REQUEST_METHOD"] == "POST") {

include("inc/dbconnect.php");

$firstName = "$_POST[firstName]";
$lastName = "$_POST[lastName]";
$email = "$_POST[email]";
$phone = "$_POST[phone]";

// assigns form data to table columns
$assign = mysqli_prepare($database,"INSERT INTO contacts(firstName,lastName,email,phone) VALUES (?,?,?,?)");
mysqli_stmt_bind_param($assign, 'ssss', $firstName, $lastName, $email, $phone);
mysqli_stmt_execute($assign);
exit;

}

?>

1 个答案:

答案 0 :(得分:0)

一个简单的准备声明就像

一样

$query = $this->db->prepare("Query here WHERE something = ?") - 请注意,此示例来自我的网站,因此您可能会有其他内容而不是$this->->prepare.

关键是"= something "表示为问号。

然后将该问号的值绑定到查询

$query->bindValue(1, passed in parameter)

作为一个完整的例子:

    //function to add 1 to downloads each time a file is downloaded
public function addToDownload($filename){

    $query = $this->db->prepare('UPDATE trainingMaterial SET downloads = downloads + 1 WHERE filename = ?');
    $query->bindValue(1, $filename);

    try{

        $query->execute();

    }catch(PDOException $e){
        die($e->getMessage());
    }

}


Your query `$assign = "INSERT INTO contacts(firstName,lastName,email,phone,birthday) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[email]','$_POST[phone]','$_POST[birthday]')";

将是

$assign = "INSERT INTO contacts(firstName,lastName,email,phone,birthday) VALUES ?,?,?,?,?)";
$assign->bindValue(1, '$_POST[firstName]')
$assign->bindValue(2, '$_POST[lastName]')

等等

相关问题
最新问题