$select = $_POST['select']; $search = $_POST['search']; $sql = "SELECT * FROM '$select' WHERE $select = '$search'";
选择美元= $ _POST['选择'];$搜索= $ _POST['搜索'];$sql = "SELECT * FROM '$ SELECT ',其中$ SELECT = '$search'";
I have 2 variables carrying the aforementioned table name and column name. I want the user to be able to select a table name and then select a specific column and output the requested record.
我有两个变量,包含前面提到的表名和列名。我希望用户能够选择一个表名,然后选择一个特定的列并输出所请求的记录。
I only have a problem with writing the sql statement. Thanks in advanced!
我只对编写sql语句有问题。由于先进的!
2 个解决方案
#1
1
you may use the following query without any problem...
您可以使用下面的查询,没有任何问题…
$sql="SELECT * from $select WHERE field_name='$search' ";
$sql="SELECT * from $ SELECT WHERE field_name='$search' ";
In the above query field_name is the that field name in which you want to search value of mattch the value.
在上面的查询field_name中,您想要搜索值的字段名。
#2
1
you are using table instead of column
您使用的是表而不是列。
$sql = "SELECT * FROM '$select' WHERE $select = '$search'";
^^^^^^----//this should be column not table
this is bad idea you are doing. FULL of sql injection
这是你的坏主意。sql注入的
- switch to pdo or mysqli.
- 切换到pdo或mysqli。
- Escape your variables.
- 逃避你的变量。
#1
1
you may use the following query without any problem...
您可以使用下面的查询,没有任何问题…
$sql="SELECT * from $select WHERE field_name='$search' ";
$sql="SELECT * from $ SELECT WHERE field_name='$search' ";
In the above query field_name is the that field name in which you want to search value of mattch the value.
在上面的查询field_name中,您想要搜索值的字段名。
#2
1
you are using table instead of column
您使用的是表而不是列。
$sql = "SELECT * FROM '$select' WHERE $select = '$search'";
^^^^^^----//this should be column not table
this is bad idea you are doing. FULL of sql injection
这是你的坏主意。sql注入的
- switch to pdo or mysqli.
- 切换到pdo或mysqli。
- Escape your variables.
- 逃避你的变量。