在sql查询中准备语句的情况下,执行减法运算的正确方法吗?
$sql = "UPDATE users set credits = (credits-$price) WHERE username = ?";
基于$ price的值减去用户信用的代码
$price = $row0['price'];
$sql = "UPDATE users set credits = (credits-$price) WHERE username = ?;";
$stmt1 = mysqli_stmt_init($conn);
if(!mysqli_stmt_prepare($stmt1, $sql)) {
$db_err = array("error" => "Database");
echo json_encode($db_err);
} else {
mysqli_stmt_bind_param($stmt1, "s", $_SESSION['username']);
mysqli_stmt_execute($stmt1);
答案 0 :(得分:0)
您需要为$price
变量使用一个占位符,以正确使用准备好的语句。除非您能够将值与可能值的列表进行比较,否则串联值永远是不安全的。
$sql = "UPDATE users set credits = (credits - ?) WHERE username = ?;";
if(!mysqli_stmt_prepare($stmt1, $sql)) {
...
} else {
mysqli_stmt_bind_param($stmt1, "ss", $price, $_SESSION['username']);
mysqli_stmt_execute($stmt1);
}
请注意,最好将对象语法用于many reasons。这是您的操作方式:
if($stmt1 = $mysqli->prepare("UPDATE users set credits = (credits - ?) WHERE username = ?")) {
$stmt1->bind_param("ss", $price, $_SESSION['username']);
$stmt1->execute();
} else {
//notice I use `$stmt1->error` to get the actual error
$db_err = array("error" => $stmt1->error);
echo json_encode($db_err);
}