参数化查询PHP / SQL Server

时间:2019-01-23 17:06:25

标签: php sql sql-server

我有一个Web表单,可将​​事件详细信息输入数据库以在网站上列出。该表单捕获照片的名称,事件标题,取消列出事件的日期,排序编号,描述以及位标记“ Mass”。

描述字段是纯文本字段。我知道我可能应该将字段更改为富文本格式,但是那是我有时间探索如何执行此操作的一天。无论如何...我一直在向文本中添加HTML字符以对其进行格式设置。我发现诸如之类的结束字符的斜杠被视为转义字符,而不是文本的一部分。如何告诉我的代码不要转义?

代码:

//connect to the database.
$serverName = "livedata";
$connectionInfo = array( "Database"=>"administration", "UID"=>"User", "PWD"=>"PASSWORD", "LoginTimeout"=>60 );
$conn = sqlsrv_connect( $serverName, $connectionInfo);
if( $conn === false ) {
     die( print_r( sqlsrv_errors(), true));
}

/* Set up the parameterized query. */  
$tsql = "insert into tblevents (Photo, title, Unlist, Sort, Description, Par_num, mass ) values(?,?,?,?,?,?,?)";  

/* Set parameter values. */  
$dt = $_POST['unlist'];
if ($dt == ""){
    $dt = null; 
}
$Sort = $_POST['sort'];
if ($Sort == "" ){
//query to get the max of sort in the database items
//+1 sort

    $sql2 = "SELECT tblevents.Par_Num, Max(tblevents.Sort) AS MaxOfSort FROM parishevents.dbo.tblevents GROUP BY tblevents.Par_Num HAVING (((tblevents.Par_Num)=" . $_POST['par_num'] . "));";
        //echo "SQL2: " . $sql2 . "<br><br>";

    $stmt2 = sqlsrv_query( $conn, $sql2);
    if( $stmt2 === false ) {
     die( print_r( sqlsrv_errors(), true));
    }

    $result2 = sqlsrv_query($conn, $sql2);
    while($row2 = sqlsrv_fetch_array($result2)) { 
        $Sort = $row2['MaxOfSort'] +1;
}
    if(isset($_POST['mass'])){
        if($_POST['mass'] == "on"){
            $mass = -1;
        }
        else{
            $mass = 0;
        }
    }else{
        $mass = 0;  
    }
$params = array($_POST['photo'], $_POST['title'], $dt, $Sort, $_POST['description'], $_POST['par_num'], $mass);  

/* Prepare and execute the query. */  
$stmt = sqlsrv_query($conn, $tsql, $params);  


/* Free statement and connection resources. */  
sqlsrv_free_stmt($stmt);  

}

0 个答案:

没有答案
相关问题
最新问题