I have a PHP script that is generating a MySQL select statement:
我有一个生成MySQL select语句的PHP脚本:
select * from words where word = 'Classic'
select * from words where word ='Classic'
There is exactly one word in the words table with the variable word equal to Classic.
单词表中只有一个单词,变量单词等于Classic。
When my PHP page executes, I get no results from the query. If I echo the string that is being used to execute the query, cut and paste that into the SQL window in PHPMyAdmin in the database, I also get no results. However, if I re-type that EXACT string into the SQL window in PHPMyAdmin (with the same quote characters), I get the proper result of one row.
当我的PHP页面执行时,我从查询中得不到任何结果。如果我回显用于执行查询的字符串,将其剪切并粘贴到数据库中PHPMyAdmin的SQL窗口中,我也没有得到任何结果。但是,如果我将该EXACT字符串重新键入PHPMyAdmin的SQL窗口(使用相同的引号字符),我会得到一行的正确结果。
The word Classic from the select statement is gotten from a PHP GET (see code below). I can echo the $word variable, and get the correct result of 'Classic'. What am I doing wrong?
select语句中的单词Classic来自PHP GET(参见下面的代码)。我可以回显$ word变量,并获得'Classic'的正确结果。我究竟做错了什么?
Here is my code:
这是我的代码:
<?php
require ('dbconnect.php');
$word = $_GET["word"];
$selectStr = "SELECT * FROM words WHERE word = '" . $word . "'";
if ($results = MySQL($dbName, $selectStr))
{
$rowCount = MySQL_NUMROWS($results);
}
$resultRow = MYSQL_FETCH_ROW($results);
$wordID = $resultRow[0];
?>
2 个解决方案
#1
3
Please, please, please sanitize that word. mysql_real_escape_string() should do the trick.
拜托,请消毒那个词。 mysql_real_escape_string()应该可以解决问题。
$selectStr = "SELECT * FROM words WHERE word LIKE '" . $sanitized_word_i_promise . "'"; should work :)
$ selectStr =“SELECT * FROM words WHERE word LIKE'”。 $ sanitized_word_i_promise。 “'”;应该管用 :)
Just to explain: "=" should work for exact matches. This includes uppercase / lowercase, spaces etc. You should probably trim that result first too, before using it in the query.
只是为了解释:“=”应该适用于完全匹配。这包括大写/小写,空格等。在查询中使用它之前,您应该首先修剪该结果。
If you have foo stored in the database (note the space at the end) - it won't match foo, without a space. You'll want to use LIKE 'foo%' - probably.
如果你有foo存储在数据库中(注意末尾的空格) - 它将不匹配foo,没有空格。你可能想要使用LIKE'foo%' - 可能。
Either way, Sourabh is right, although performance wise, this isn't a big hit when trying to match exact strings, you should look for the problem in other places first (such as, is the item in the database an exact match?).
无论哪种方式,Sourabh是对的,虽然性能明智,但在尝试匹配完全字符串时这不是一个大打击,你应该首先在其他地方寻找问题(例如,数据库中的项目是完全匹配吗?) 。
#2
2
First off you should not take any user input and directly input it into a query without sanitizing it, or using a prepared statement.
首先,您不应该接受任何用户输入并直接将其输入到查询中,而无需对其进行清理或使用预准备语句。
Now that we've gotten that out of the way: have you tried doing a strcmp() with the variable and your string written in? Such as
现在我们已经解决了这个问题:你是否尝试过使用变量和字符串写入strcmp()?如
echo strcmp($_GET['word'], "Classic")
echo strcmp($ _ GET ['word'],“Classic”)
If you get a result other than 0 it means they are not the same, most likely there will be a whitespace of some sort in the $_GET variable. use trim() on it to take out whitespace. Also could be a case sensitivity issue as well.
如果得到的结果不是0,则意味着它们不相同,很可能在$ _GET变量中会有某种空格。使用trim()来取出空格。也可能是区分大小写的问题。
#1
3
Please, please, please sanitize that word. mysql_real_escape_string() should do the trick.
拜托,请消毒那个词。 mysql_real_escape_string()应该可以解决问题。
$selectStr = "SELECT * FROM words WHERE word LIKE '" . $sanitized_word_i_promise . "'"; should work :)
$ selectStr =“SELECT * FROM words WHERE word LIKE'”。 $ sanitized_word_i_promise。 “'”;应该管用 :)
Just to explain: "=" should work for exact matches. This includes uppercase / lowercase, spaces etc. You should probably trim that result first too, before using it in the query.
只是为了解释:“=”应该适用于完全匹配。这包括大写/小写,空格等。在查询中使用它之前,您应该首先修剪该结果。
If you have foo stored in the database (note the space at the end) - it won't match foo, without a space. You'll want to use LIKE 'foo%' - probably.
如果你有foo存储在数据库中(注意末尾的空格) - 它将不匹配foo,没有空格。你可能想要使用LIKE'foo%' - 可能。
Either way, Sourabh is right, although performance wise, this isn't a big hit when trying to match exact strings, you should look for the problem in other places first (such as, is the item in the database an exact match?).
无论哪种方式,Sourabh是对的,虽然性能明智,但在尝试匹配完全字符串时这不是一个大打击,你应该首先在其他地方寻找问题(例如,数据库中的项目是完全匹配吗?) 。
#2
2
First off you should not take any user input and directly input it into a query without sanitizing it, or using a prepared statement.
首先,您不应该接受任何用户输入并直接将其输入到查询中,而无需对其进行清理或使用预准备语句。
Now that we've gotten that out of the way: have you tried doing a strcmp() with the variable and your string written in? Such as
现在我们已经解决了这个问题:你是否尝试过使用变量和字符串写入strcmp()?如
echo strcmp($_GET['word'], "Classic")
echo strcmp($ _ GET ['word'],“Classic”)
If you get a result other than 0 it means they are not the same, most likely there will be a whitespace of some sort in the $_GET variable. use trim() on it to take out whitespace. Also could be a case sensitivity issue as well.
如果得到的结果不是0,则意味着它们不相同,很可能在$ _GET变量中会有某种空格。使用trim()来取出空格。也可能是区分大小写的问题。