我有一个来自ajax函数的“ field_names”数组。它的结构很简单。
Array ( [0] => balcony [1] => bathroom_count [2] => building_age [3] => exchangeable [4] => floor_count [5] => floor_location [6] => furnished [7] => heating_system [8] => inside_site [9] => room_count [10] => using_status [11] => available_for_loan [12] => )
我正在使用该数组定义输入值。但是,当我使用该数组进行插入查询时,即使我已经在窗体上使用它,我的代码也将其视为没有数组。
$lastid = mysqli_insert_id($connect);
foreach ($field_names as $field_name) {
$ads_field_query_string = "INSERT INTO ads_fields (ads_id, field_name, field_value) VALUES ('$lastid', '$field_name', '$_POST[$field_name]')";
$ads_fields_query_run = mysqli_query($connect, $ads_fields_query_string);
echo $ads_field_query_string;
}
答案 0 :(得分:0)
我认为您的输入错误
最初,SQL查询被声明为$ads_field_query_string,但是在对mysqli_query的调用中,您引用了$ads_fields_query_string〜请注意额外的s
如果您使用更简单的名称,则更容易发现此错误,例如:
$lastid = mysqli_insert_id( $connect );
foreach ( $field_names as $field ) {
$sql = "INSERT INTO `ads_fields` ( `ads_id`, `field_name`, `field_value` ) VALUES ( '$lastid', '$field', '{$_POST[$field]}' )";
$res = mysqli_query( $connect, $sql );
echo $sql;
}
也就是说,代码容易受到SQL注入的攻击-使用准备好的语句会更好,例如:
$sql='insert into `ads_fields` ( `ads_id`, `field_name`, `field_value` ) values (?,?,?)';
$stmt=$connect->prepare( $sql );
if( $stmt ){
$stmt->bind_param( 'iss', $lastid, $name, $value );
foreach( $field_names as $name ){
$value=$_POST[ $name ];
$stmt->execute();
}
$stmt->close();
$connect->close();
}