<?php
if(isset($_POST['search']))
{
$department = $_POST['department'];
$class = $_POST['class'];
$i = 1;
$sql = "SELECT `student_id` , `name`, `htno`, `department`, `class` , `image_name` FROM student_detail where department=$department && class=$class";
$query = mysqli_query($conn, $sql);
if (!$query) {
die ('SQL Error: ' . mysqli_error($conn));
}
while ($row = mysqli_fetch_array($query)) {?>
<tr>
<td><?php echo $i++; ?></td>
<td><?php echo $row['name']; ?></td>
<td><?php echo $row['htno']; ?></td>
<td><?php echo $row['department']; ?></td>
<td><?php echo $row['class']; ?></td>
<td>
<button data-toggle="modal" data-target="#view-modal" data-id="<?php echo $row['student_id']; ?>" id="getStudent" class="btn cur-p btn-info"><i class="glyphicon glyphicon-eye-open"></i> View</button>
<a href="<?php echo BASE_URL; ?>/controller/delete.php?student_id=<?php echo $row['student_id']; ?>" class="btn cur-p btn-danger" onClick="return confirm('Are you sure you want to delete?')">Delete</a></button>
</td>
</tr>
<?php }
if ($result === false) {
echo "No Data Found";
}
}
?>
使用此代码时出错
SQL错误:SQL语法中有错误;检查手册 对应于您的MariaDB服务器版本,以获得正确的语法 靠近&#39; A&#39;在第1行
有什么问题?
答案 0 :(得分:4)
您应该使用准备好的陈述。
if(isset($_POST['search']))
{
$department = $_POST['department'];
$class = $_POST['class'];
$i = 1;
$query = "SELECT
`student_id`,
`name`,
`htno`,
`department`,
`class`
FROM student_detail
WHERE department = ? && class = ? ";
$stmt = $conn->prepare($query);
$stmt->bind_param('ss', $department, $class);
$stmt->execute();
$result = $stmt->get_result();
if (!$result) {
die ('SQL Error: ' . mysqli_error($conn));
}
while ($row = $result->fetch_assoc()) { ?>
<tr>
<td><?php echo $i++; ?></td>
<td><?php echo $row['name']; ?></td>
<td><?php echo $row['htno']; ?></td>
<td><?php echo $row['department']; ?></td>
<td><?php echo $row['class']; ?></td>
<td>
<button data-toggle="modal" data-target="#view-modal" data-id="<?php echo $row['student_id']; ?>" id="getStudent" class="btn cur-p btn-info"><i class="glyphicon glyphicon-eye-open"></i> View</button>
<a href="<?php echo BASE_URL; ?>/controller/delete.php?student_id=<?php echo $row['student_id']; ?>" class="btn cur-p btn-danger" onClick="return confirm('Are you sure you want to delete?')">Delete</a></button>
</td>
</tr>
<?php }
if ($result === false) {
echo "No Data Found";
}
}
答案 1 :(得分:3)
在SQL中,您没有将变量括在引号中:
where department=$department && class=$class
这将转换为
where department=My Department && class=My Class
(当然,取决于变量中的数据)。
你需要在变量周围加上引号,然后你就会停止看到这个特定的错误:
where department='$department' AND class='$class'
另外,请使用AND而不是&&
最后 - 最重要的是,这不是一个好的SQL实践,因为你对SQL注入攻击持开放态度,即。有人将字符串传递给变量以尝试破坏查询,或者更糟糕的是,编辑/删除数据。
您将很好地了解如何使用预准备语句构造SQL查询。这里有一个很棒的指南:
https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection
答案 2 :(得分:1)
$sql = "SELECT `student_id` , `name`, `htno`, `department`, `class` , `image_name` FROM student_detail where department=$department && class=$class";
尝试将其更改为
$sql = "SELECT student_id , name, htno, department, class , image_name FROM student_detail WHERE department= " . $department . " AND class=" . $class . ";";
编辑:正如 Aniket Sahrawat 建议的那样,准备好的陈述是您需要实施的。
$sth = $dbh->prepare('SELECT name, colour, calories, fruit WHERE calories < ? AND colour= ?');
$sth->execute(array(150, 'red'));
Edit2:感谢 Nigel Ren 注意到我在准备好的声明中的错误; p