0

所以通常我会编写如下查询和循环:

    $result = mssql_query("SELECT Element FROM Table WHERE Type='Type'");

                while ($row = mssql_fetch_array($result)) { 
}

我知道这不是最佳实践,但我仍在学习并且它有效。

我曾经将我的查询连接如下:

$query = "SELECT Element ";
$query .= "FROM Table ";
$query .= "WHERE Condition = 'no' ";

$result = mssql_query($query);

$numRows = mssql_num_rows($result);

这不是很安全,但是我写了一个 SQL 编码,但我离题了。我现在面临的问题是没有编写很长的查询并循环它。我已经写了以下内容,但是它不起作用。有人可以告诉我我的语法是否正确,以便我可以调试问题是否出在我的语法或其他元素上。任何帮助将不胜感激。

 $query = "INSERT INTO Items (BasketID, Qty, ProductType, Element1, Element2, Element3, Element4, Element5, Element6, Element7, Element8, Element9, Element10, Element11, Element12, Element13, Element14, Element15, Element16, Element17, Element18, Element19, Element20, DateAdded, Notes)";
$query .= " VALUES ("$_SESSION['basketid']", "1", "Type1", "SQLencode($_POST['Element1'])", "SQLencode($_POST['Element2'])", "SQLencode($_POST['Element3'])", "SQLencode($_POST['Element4'])", "SQLencode($_POST['Element5'])", "SQLencode($_POST['Element6'])", "SQLencode($_POST['Element7'])",";
$query .= ""SQLencode($_POST['Element8'])", "SQLencode($_POST['Element9'])", "SQLencode($_POST['Element10'])","SQLencode($_POST['Element11']", "SQLencode($_POST['Element12']", "SQLencode($_POST['Element13']","SQLencode($_POST['Element14']","SQLencode($_POST['Element15']", "SQLencode($_POST['Element16']",";
$query .= ""SQLencode($_POST['Element17'])","SQLencode($_POST['Element18'])","SQLencode($_POST['Element19'])", "SQLencode($_POST['Element20'])", "NOW()", "SQLencode($_POST['Notes'])" ) "

$insertsql = mssql_query($query);

while ($insertrow = mssql_fetch_array($insertsql)) { 


?>

我认为/希望我是正确的轨道,但我认为我的实际查询语法在某处略有错误,但我不太明白为什么,我不断收到意外的 t_variables。谁能指出我哪里出错了?

4

2 回答 2

0

查看您的代码:

 $query = "INSERT INTO Items (BasketID, Qty, ProductType, Element1, Element2, Element3, Element4, Element5, Element6, Element7, Element8, Element9, Element10, Element11, Element12, Element13, Element14, Element15, Element16, Element17, Element18, Element19, Element20, DateAdded, Notes)"; 
$query .= " VALUES ('$_SESSION['basketid']', '1', 'Type1', "SQLencode($_POST['Element1'])", "SQLencode($_POST['Element2'])", "SQLencode($_POST['Element3'])", "SQLencode($_POST['Element4'])", "SQLencode($_POST['Element5'])", "SQLencode($_POST['Element6'])", "SQLencode($_POST['Element7'])""; 
$query .= ""SQLencode($_POST['Element8'])", "SQLencode($_POST['Element9'])", "SQLencode($_POST['Element10'])","SQLencode($_POST['Element11']", "SQLencode($_POST['Element12']", "SQLencode($_POST['Element13']","SQLencode($_POST['Element14']","SQLencode($_POST['Element15']", "SQLencode($_POST['Element16']","; 
$query .= ""SQLencode($_POST['Element17'])","SQLencode($_POST['Element18'])","SQLencode($_POST['Element19'])", "SQLencode($_POST['Element20'])", "NOW()", "SQLencode($_POST['Notes'])" ) "

第 2 行末尾缺少逗号

于 2012-10-19T10:27:36.643 回答
0

我发现在数组中更容易做到:

$fields = array(
    'BasketId'    => $_SESSION['basketid'],
    'Qty'         => 1,
    'ProductType' => 'Type1',
    'Element1'    => SQLencode($_POST['Element1']),
    ...
);

$query = 'INSERT INTO Items ('
$query .= implode(',', array_keys($fields));
$query .= ') VALUES (';
foreach($fields as $value)
    $query .= is_numeric($value) ? $value : "'$value'";
$query .= ');';

您还可以为您的字段制作一种特殊的语法:

'Element1'     => '@Element1',

然后用于array_map将所有@-elements 转换为 SQLEncodes。这样您就不会忘记对外部提供的值进行编码:如果您忘记了@,则输入一个无害的字符串。

于 2012-10-19T10:36:07.890 回答