将变量从php传递给mysql查询并显示

时间:2011-06-06 10:31:39

标签: php

有人能告诉我如何将php值$ value_aid和$ value_tradeid传递给我的sql查询res3吗?

<?php
//error_reporting(E_ALL);

///////////////////////Connect to the database and close the connection when finished///////////////////////////////

include ("dbconnect.php");

///////////////////////////////// Gather and Display area_id //////////////////////////////

$res=mysql_query("SELECT area_id FROM pc_test WHERE postcodes = '".$_POST['postcode']."'");
while ($row = mysql_fetch_array($res))
{
// This works !!
//echo("$row[area_id]");
$value_aid="$row[area_id]";
echo("$value_aid");
}

////////////////// Gather and Display postcodes relating to area_id ////////////////////////

$res3=mysql_query("SELECT trade_id FROM trade WHERE trade_type = '".$_POST['trade_type']."'");
while ($row3 = mysql_fetch_array($res3))
{
// And this works !!
echo("\n$row3[trade_id]");
$value_tradeid="$row3[trade_id]";
}

/**************************************** Gather the query information ********************************************/

//************!!!!!!!!!!!!!!!!  This part does not work as the variable values are not being passed !!!!!!!!!!!**********//

$res2=mysql_query("SELECT first_name, last_name, phone_mobile, postcode, trade_type FROM customer WHERE area_id = '$value_aid' && trade_id = '$value_tradeid'");

/**************************************** DISPLAY QUERY RESULTS HERE *********************************************/
while ($row2 = mysql_fetch_array($res2))

{ 

echo("<TABLE align='center' border = '1' bgcolor = 'A7E3F6'><TH><strong>SEARCH RESULTS<strong></TH>");
echo("<TR><TD><strong>Name :<strong>\n$row2[first_name]\n$row2[last_name]</TD></TR>");
echo("<TR><TD><strong>Phone :<strong>\n$row2[phone_mobile]</TD></TR>");
echo("<TR><TD><strong>Postcode :<strong>\n$row2[postcode]</TD></TR>");
echo("<TR><TD><strong>Trade Type :<strong>\n$row2[trade_type]</TD></TR></TABLE>");
}

/*********************** If no matching records in my table...DISPLAY MESSAGE HERE ******************************/

if (mysql_num_rows($res2) == 0) {

echo ("<strong><br><br>No one is advertising for this area just yet, sorry.<br>We will have tradesmen advertising here very soon.</strong>");
}

//include ("db_close.php");

?>

1 个答案:

答案 0 :(得分:0)

首先,不要将用户(_POST,_GET,...)中的变量直接传递给数据库查询而不转义它们(例如mysql_real_escape_string($ _ POST ['name'])这会导致大量的安全问题( SQL注入)

分配一个变量,其值只是您使用的nother变量:

$value_tradeid = $row['trade_id'];

变量不需要作为字符串封装,但数组键应该!

关于那些不起作用的查询,为什么你不会逃避字符串,就像你在其他人中所做的一样。

$res2=mysql_query("SELECT first_name, last_name, phone_mobile, postcode, trade_type FROM customer WHERE area_id = '".$value_aid."' && trade_id = '".$value_tradeid."'");

您还应该阅读有关PDO和准备陈述的内容。

相关问题
最新问题