I have a function for selecting from my database but when the $id contains quotes it breaks. Here is my code:
我有一个从我的数据库中选择的功能,但当$ id包含引号时,它会中断。这是我的代码:
public function database_select_one($table, $identifier, $id) {
$sql = 'SELECT * FROM '.$table.' WHERE '.$identifier.'="'.$id.'" LIMIT 1';
$mysqli_result = $this->query($sql);
$data = $this->fetch($mysqli_result, 1);
return $data;
}
2 个解决方案
#1
0
You can remove quotes from you $id field with str_replace. http://tr2.php.net/str_replace
您可以使用str_replace从$ id字段中删除引号。 http://tr2.php.net/str_replace
public function database_select_one($table, $identifier, $id) {
str_replace('"', "", $id);
$sql = 'SELECT * FROM '.$table.' WHERE '.$identifier.'="'.$id.'" LIMIT 1';
$mysqli_result = $this->query($sql);
$data = $this->fetch($mysqli_result, 1);
return $data;
}
#2
0
Use prepare statement:
使用准备声明:
$stmt= mysqli_prepare($link, "SELECT * FROM ".$table." WHERE ". $identifier . " = :id LIMIT 1");
mysqli_stmt_bind_param($stmt, "id", $id);
mysqli_stmt_execute($stmt);
#1
0
You can remove quotes from you $id field with str_replace. http://tr2.php.net/str_replace
您可以使用str_replace从$ id字段中删除引号。 http://tr2.php.net/str_replace
public function database_select_one($table, $identifier, $id) {
str_replace('"', "", $id);
$sql = 'SELECT * FROM '.$table.' WHERE '.$identifier.'="'.$id.'" LIMIT 1';
$mysqli_result = $this->query($sql);
$data = $this->fetch($mysqli_result, 1);
return $data;
}
#2
0
Use prepare statement:
使用准备声明:
$stmt= mysqli_prepare($link, "SELECT * FROM ".$table." WHERE ". $identifier . " = :id LIMIT 1");
mysqli_stmt_bind_param($stmt, "id", $id);
mysqli_stmt_execute($stmt);