因此,我很难使用mysql搜索命令获取变量,然后在插入命令的同一脚本中使用它。我做错了什么?
<?php
$usto= $_GET["usto"];
$itena= "item";
$sql = 'SELECT sname FROM login';
$hostname_Database = "blocked";
$database_Database = "blocked";
$username_Database = "blocked";
$password_Database = "blocked";
$mysqli = new mysqli($hostname_Database, $username_Database, $password_Database, $database_Database);
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$result = $mysqli->query($sql);
if ($result) {
$row = $result->fetch_assoc();
$sql = "INSERT INTO pon(mis, take)
VALUES({$row['snake']}, '" . $usto . "')"; //Here, I am trying to use the result from the previous select statement for the variable
$result = $mysqli->query($sql);
if ($result) {
...etc.
}
}
?>
答案 0 :(得分:0)
您容易受到SQL injection attacks的攻击。阅读有关这些内容并首先修复您的代码。
之后,意识到->query()调用返回结果HANDLE,而不是您在查询中请求的实际字段。您必须首先 FETCH 一行数据:
$result = $mysqli->query($sql);
$row = $result->fetch_assoc();
$sql = ".... VALUES ({$row['name_of_field']} ...)";
请注意,这仍然容易受到SQL注入攻击..它纯粹是为了说明查询/获取/插入过程。