我在MySQL中包含php变量的语法是否正确?

时间:2013-10-05 06:25:08

标签: php mysql

这是我的代码:

  $international_categories = $_GET['international_categories'];

      $query = "SELECT * 
      FROM 
        tourDB
      WHERE 
        categories LIKE '$international_categories'";

  $result = mysql_query( $query ) or die ( mysql_error() );

  if ( $result !== false && mysql_num_rows($result) > 0 ) {
    while ( $ilist = mysql_num_rows( $result ) > 0)  {
        $tour_id             = stripslashes( $ilist[ 'tour_id' ] );
        $tour_type           = stripslashes( $ilist[ 'tour_type' ] );
        $tour_name           = stripslashes( $ilist[ 'tour_name' ] );
        $day                 = stripslashes( $ilist[ 'day' ] );
        $nights              = stripslashes( $ilist[ 'nights' ] );
        $tour_price          = stripslashes( $ilist[ 'tour_price' ] );
        $overview            = stripslashes( $ilist[ 'overview' ] );
        $itinerary           = stripslashes( $ilist[ 'itinerary' ] );
        $terms_conditons     = stripslashes( $ilist[ 'terms_conditons' ] );
        $inclusions          = stripslashes( $ilist[ 'inclusions' ] );
        $exclusions          = stripslashes( $ilist[ 'exclusions' ] );
        $twin_triple_sharing = stripslashes( $ilist[ 'twin_triple_sharing' ] );
        $single_occcupancy   = stripslashes( $ilist[ 'single_occcupancy' ] );
        $child_with_no_bed   = stripslashes( $ilist[ 'child_with_no_bed' ] );
        $inf_below           = stripslashes( $ilist[ 'inf_below' ] );
        $pricing_details     = stripslashes( $ilist[ 'pricing_details' ] );
        $url                 = stripslashes( $ilist[ 'url' ] );
        $international_list_cat .= <<<INTERNATIONAL_LIST_CAT
        <!-- html output -->

       INTERNATIONAL_LIST_CAT;
    }
else {
    $international_list_cat = <<<INTERNATIONAL_LIST_CAT
    <!-- html output -->

    INTERNATIONAL_LIST_CAT;
}

我试图缩短列“类别”的值为“$ international_categories”的行

$international_categories = $_GET['international_categories']的值也有空格,虽然我在这里得到$_GET['international_categories']但MySQL没有在其“类别”列中整理出$_GET['international_categories']值的行。

2 个答案:

答案 0 :(得分:2)

转换

while ( $ilist = mysql_num_rows( $result ) > 0)  {

while ( $ilist = mysql_fetch_array( $result ))  {

感谢Barmar警告我。

但正如其他一些用户所评论的那样,MySQL已被弃用,并且极易受到SQL注入攻击。您可以使用PDO或MySQLi。我更喜欢MySQLi,我会将你的代码转换成:

//Define a mysqli variable to use for database connections
$mysqli->new mysqli(host, user, password, dbname);

$international_categories = $_GET['international_categories'];

//Add other columns into query or use *
$query = $mysqli->prepare("SELECT tour_id, tour_type FROM tourDB WHERE categories=?");
//Now we are inserting our external variable into our query
$query->bind_param("i", $international_categories);
$query->execute();
//Now we are declaring variables in order to fetched columns in our SELECT query.
//Add other columns into next line.
$query->bind_result($tour_id, $tour_type);
while($query->fetch())
{
    $international_list_cat .= <<<INTERNATIONAL_LIST_CAT
        <input type="text" value="$tour_type" />
<!-- html output -->

INTERNATIONAL_LIST_CAT;
}

//Now close connection
$query->close();

答案 1 :(得分:1)

while ($ilist = mysql_num_rows($result) > 0) {

应该是:

while ($ilist = mysql_fetch_assoc($result)) {