在php中运行多个查询

时间:2018-05-23 02:22:51

标签: php html

我是PHP和HTML的新手。按下提交按钮后,我尝试使用已存在于用户MySQL表中的数据填充字段(这可行)。我还想将使用SELECT获得的相同数据插入到另一个名为scan的SQL表中。

<?php
// php code to search data in mysql database and set it in input text
if(isset($_POST['search']))
{


    // id to search
    $user_id = $_POST['user_id'];

    // connect to mysql
    $connect = mysqli_connect("127.0.0.1", "root", "root","demodb");

    // mysql search query


    $query = "SELECT * FROM Users WHERE user_id = $user_id LIMIT 1";
    $query = "INSERT INTO scan (user_id, osha, firstname, lastname, company, trade, email, picture) SELECT user_id, osha, firstname, lastname, company, trade, email, picture FROM Users WHERE user_id = $user_id LIMIT 1";



    $result = mysqli_query($connect, $query);



    // if id exist 
    // show data in inputsi
    if(mysqli_num_rows($result) > 0)
    {
      while ($row = mysqli_fetch_array($result))
      {
        $osha = $row['osha'];
        $firstname = $row['firstname'];
        $lastname = $row['lastname'];
        $company = $row['company'];
        $trade = $row['trade'];
      }  
    }

    // if the id not exist
    // show a message and clear inputs
    else {
        echo "Undifined ID";

            $osha = "";
            $firstname = "";
            $lastname = "";
            $company = "";
            $trade = "";
    }


    mysqli_free_result($result);

    mysqli_close($connect);
}    


// in the first time inputs are empty
else{
            $osha = "";
            $firstname = "";
            $lastname = "";
            $company = "";
            $trade = "";
}


?>

<!DOCTYPE html>

<html>

    <head>

        <title> PHP FIND DATA </title>

        <meta charset="UTF-8">

        <meta name="viewport" content="width=device-width, initial-scale=1.0">

    </head>

    <body>

    <form action="barcode.php" method="post">

    Id:<input type="text" name="user_id"><br><br>

    Osha #:<input type="text" name="osha" value="<?php echo $osha;?>"><br><br>

        First Name:<input type="text" name="firstname" value="<?php echo $firstname;?>"><br>
<br>

        Last Name:<input type="text" name="lastname" value="<?php echo $lastname;?>"><br><br>

    Company:<input type="text" name="company" value="<?php echo $company;?>"><br><br>

    Trade:<input type="text" name="trade" value="<?php echo $trade;?>"><br><br>

    <input type="submit" name="search" value="Find">

           </form>

    </body>

</html>

但似乎我只能在PHP中运行一个查询。我尝试集成mysqli_multi_query,但我不断收到以下错误&#34; mysqli_num_rows()期望参数1为mysqli_result&#34;。

如何运行两个查询,同时使用数据填充字段。

添加表定义

用户表

| Users | CREATE TABLE `Users` (
  `user_id` int(6) unsigned NOT NULL AUTO_INCREMENT,
  `osha` int(50) DEFAULT NULL,
  `firstname` varchar(30) NOT NULL,
  `lastname` varchar(30) NOT NULL,
  `company` varchar(50) DEFAULT NULL,
  `trade` varchar(50) DEFAULT NULL,
  `email` varchar(50) DEFAULT NULL,
  `picture` varchar(50) DEFAULT NULL,
  `reg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  PRIMARY KEY (`user_id`)
) ENGINE=InnoDB AUTO_INCREMENT=98819 DEFAULT CHARSET=latin1 |

扫描表

| scan  | CREATE TABLE `scan` (
  `user_id` int(6) unsigned NOT NULL DEFAULT '0',
  `osha` int(50) DEFAULT NULL,
  `firstname` varchar(30) NOT NULL,
  `lastname` varchar(30) NOT NULL,
  `company` varchar(50) DEFAULT NULL,
  `trade` varchar(50) DEFAULT NULL,
  `email` varchar(50) DEFAULT NULL,
  `picture` varchar(50) DEFAULT NULL,
  `reg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=latin1 |

2 个答案:

答案 0 :(得分:3)

您使用新值覆盖变量$query,而不是先执行查询。虽然你的代码有很多问题,但是这样说:

  • 您没有逃避$_POST['user_id'],请阅读SQL注入攻击。
  • 您没有逃避HTML,请阅读XSS攻击。
  • 您的逻辑流程重复代码
  • 您要通过两次获取数据来添加数据库的额外负载,只需获取一次,然后插入一次。

请参阅下面的重写代码。

<?php
// initalize the variables 
$osha      = "";
$firstname = "";
$lastname  = "";
$company   = "";
$trade     = "";

// php code to search data in mysql database and set it in input text
if(isset($_POST['search']))
{
    // connect to mysql
    $dbc = mysqli_connect("127.0.0.1", "root", "root","demodb");

    // id to search
    $user_id = mysqli_real_escape_string($dbc, $_POST['user_id']);

    $query = "SELECT * FROM Users WHERE user_id = '$user_id' LIMIT 1";
    $rs    = mysqli_query($dbc, $query);
    if (mysqli_num_rows($rs) == 1)
    {
      $row       = mysqli_fetch_array($rs);
      $osha      = $row['osha'];
      $firstname = $row['firstname'];
      $lastname  = $row['lastname'];
      $company   = $row['company'];
      $trade     = $row['trade'];

      $query     = "INSERT INTO scan (user_id, osha, firstname, lastname, company, trade, email, picture) VALUES (" .
        "'" . $user_id . "', '" .
        "'" . mysqli_real_escape_string($dbc, $osha     ) . "', '" .
        "'" . mysqli_real_escape_string($dbc, $firstname) . "', '" .
        "'" . mysqli_real_escape_string($dbc, $lastname ) . "', '" .
        "'" . mysqli_real_escape_string($dbc, $company  ) . "', '" .
        "'" . mysqli_real_escape_string($dbc, $trade    ) . "')";
      mysqli_query($dbc, $query);
    }
    else
    {
      echo "Undefined ID";
    }
}    
?>

<!DOCTYPE html>

<html>

    <head>

        <title> PHP FIND DATA </title>

        <meta charset="UTF-8">

        <meta name="viewport" content="width=device-width, initial-scale=1.0">

    </head>

    <body>

    <form action="barcode.php" method="post">

    Id:<input type="text" name="user_id"><br><br>

    Osha #:<input type="text" name="osha" value="<?= htmlspecialchars($osha) ?>"><br><br>

        First Name:<input type="text" name="firstname" value="<?= htmlspecialchars($firstname) ?>"><br>
<br>

        Last Name:<input type="text" name="lastname" value="<?= htmlspecialchars($lastname) ?>"><br><br>

    Company:<input type="text" name="company" value="<?= htmlspecialchars($company) ?>"><br><br>

    Trade:<input type="text" name="trade" value="<?= htmlspecialchars($trade) ?>"><br><br>

    <input type="submit" name="search" value="Find">

           </form>

    </body>

</html>

答案 1 :(得分:1)

首先,不要在查询中直接使用变量。出于安全考虑,现在强烈建议您准备一天。

所以,像这样更改你的查询,当你同时一个接一个地执行两个查询时,有必要将变量命名为不同的名称,否则后者将覆盖前一个:

$query1 = "SELECT * FROM Users WHERE user_id = ? LIMIT 1";
$query2 = "INSERT INTO scan (user_id, osha, firstname, lastname, company, trade, email, picture) SELECT user_id, osha, firstname, lastname, company, trade, email, picture FROM Users WHERE user_id = ? LIMIT 1";

然后创建如下所示的预备语句:

$stmt = mysqli_stmt_init($connect);
$stmt2 = mysqli_stmt_init($connect);

mysqli_stmt_prepare($stmt, $query1);
mysqli_stmt_prepare($stmt2, $query2);

mysqli_stmt_bind_param($stmt, "s", $user_id);
mysqli_stmt_bind_param($stmt2, "s", $user_id);

然后执行查询:

mysqli_stmt_execute($stmt);
mysqli_stmt_execute($stmt2);

最后,您可以得到$query1的结果:

$result = mysqli_stmt_get_result($stmt);