WHERE子句MySQL中的PHP字符串变量
这个简单的SQL查询有问题:
I am having a problem with this simple sql query:
<?php
require_once('../../Connections/tohoshows.php');
$show ='gothaf';
mysql_select_db($database_tohoshows, $tohoshows);
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
$getShows = mysql_query($query_getShows, $tohoshows) or die(mysql_error());
$row_getShows = mysql_fetch_assoc($getShows);
$totalRows_getShows = mysql_num_rows($getShows);
mysql_free_result($getShows);
?>
当我像这样直接在WHERE子句中使用字符串时
When I use the string directly in the WHERE clause like this
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='gothaf'";
我得到结果.当我改用变量时,没有任何数据!我是新手,无法弄清楚我在做什么错.任何帮助,将不胜感激. 谢谢!
I get a result. When I use the variable instead, I get no data! I am a novice and I can't figure out what am I doing wrong. Any help would be appreciated. Thank you!
您没有得到日期,因为引号之间有多余的空格
you getting no date because you have extra space betwee the quotes,
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show =' ". $show. " '";
^ HERE ^
然后将被解析为
SELECT * FROM toho_shows WHERE toho_shows.show =' gothaf '
删除它,它将起作用
remove it and it will work
$query_getShows = "SELECT * FROM toho_shows WHERE toho_shows.show ='". $show. "'";
作为附带说明,如果值( s )的变量来自外部.请查看下面的文章,以了解如何防止这种情况的发生.通过使用PreparedStatements,您可以摆脱在值周围使用单引号的情况.
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.