Question

我在PHP中使用查询字符串传递字符串值时出现问题。我正在使用PhpMyAdmin数据库。

以下是我的查询字符串：

http://192.168.0.106/PHP/webservice/comments.php?city_town='Vadodara'

我的php代码如下：

if(isset($_GET["city"])){
    @$city = $_GET["city"];

//echo $city;
$query = "select * from shop_detail where city_town ='". $city ."' ";

Answer 1

使用city_town而不是city并使用mysqli_real_escape_string来阻止sql注入以及table and column name in backtick

if(isset($_GET["city_town"])){
    $city = mysqli_real_escape_string($conn,$_GET["city_town"]);

//echo $city;
$query = "select * from `shop_detail` where `city_town` ='". $city ."' ";

如何从php中的查询字符串传递String Datatype值

1 个答案: