如何在=符号后显示html表单POST数据?
$tsql = "UPDATE dbo.[order]
SET status=''
WHERE order_ID='' ";
答案 0 :(得分:2)
所有POST数据都存储在$_POST中
将$ _POST ['dataname']放在那里。
SET status='".$_POST['dataname']."'
将是正确的替代品。
答案 1 :(得分:1)
可以使用$ _POST suberglobal检索POST数据,如下所示:
.... " SET status = '{$_POST['form_field_name']}'";
但是,我建议尽可能使用预备语句。将表单数据直接放入SQL语句是一种不好的做法,可能会导致安全问题。
您应该使用这样的预备语句:
// Store the form data in variables
$status = $_POST['status_field'];
$order_ID = $_POST['order_ID_field'];
// If you're not going to use prepared statements AT LEAST do this
// Not a necessary step if using prepared statements
$sanitized_status = mysqli_real_escape_string($dbConnection, $status);
$sanitized_order_ID = mysqli_real_escape_string($dbConnection, $order_ID);
// Prepare the SQL
// When script is run database will compile this statement first
$stmt = $dbConnection->prepare('UPDATE table_name SET status = ? WHERE order_ID = ?');
// Parameters are bound to the COMPILED statement not the string
$stmt->bind_param('si', $sanitized_status, $sanitized_order_ID);
$stmt->execute();
关键是将表单数据绑定到编译语句而不是SQL字符串本身。在下面这个优秀的资源中阅读有关预备语句的更多信息!