请帮我解决这个问题。第一个查询将返回一条消息,说明
Couldn't execute query: Unknown column 'ssd23' in 'where clause.
ssd23是$_POST从html表单获取pnumber的值。但是,如果只有数字,它将起作用。
$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = {'$_POST['pnumber']'}") or die ("Couldn't execute query: " .mysqli_error($con));
使用变量后,下面的第二个查询将同时适用于数字和字符。
$test = $_POST['pnumber'];
$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = '$test'") or die ("Couldn't execute query: " .mysqli_error($con));
答案 0 :(得分:1)
替换这个:
$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = {'$_POST['pnumber']'}") or die ("Couldn't execute query: " .mysqli_error($con));
有了这个:
$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = '" . $_POST['pnumber'] ."'") or die ("Couldn't execute query: " .mysqli_error($con));
注意我没有注意上面的SQL注入
更好的是使用准备语句来保护你的查询,在你的情况下它将是这样的:
$sql= 'DELETE FROM Tools WHERE PartNumber= ?';
$stmt = $con->prepare($sql);
$stmt->bind_param('i', $_POST['pnumber']);
$stmt->execute();