0

我有一个数据库,其中有一个主表单,列出所有使用此代码的人员

<?php
$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("datatest", $con);
$result = mysql_query("SELECT * FROM Personnel");
echo "<TABLE BORDER=2>";
echo"<TR><TD><B>Name</B><TD><B>Number</B><TD><B>View</B><TD></TR>";
while ($myrow = mysql_fetch_array($result))
{
echo "<TR><TD>".$myrow["Surname"]." ".$myrow["First Names"]."<TD>".$myrow["Number"];
echo "<TD><a href=\"childdetails.php?EmployeeID=".$myrow["EmployeeID"]."\">View</a>";
}
echo "</TABLE>";
?>
</HTML>

如您所见,我有一个查看此人详细信息的链接,但是当我单击查看链接时,我收到以下错误

解析错误:语法错误,第 6 行 C:\Program Files\EasyPHP-12.1\www\my便携式文件\dss4\childdetails.php 中的意外 'EmployeeID' (T_STRING) childdetails.php 具有以下代码

<HTML>
<?php
$db = mysql_connect("localhost", "root", "");
mysql_select_db("datatest",$db);
$result = mysql_query("SELECT * FROM children; 
WHERE "EmployeeID="["$EmployeeID"],$db);
$myrow = mysql_fetch_array($result);
echo "Child Name: ".$myrow["ChildName"];
echo "<br>Mother: ".$myrow["Mother"];
echo "<br>Date of Birth: ".$myrow["DateOfBirth"];
?>
</HTML>

由于列出人员的第一个表格有效,我相信问题出在服务器返回的第 6 行的 childdetails.php 中,但我根本不知道如何解决它。

注意:一个人可以有多个孩子也可以有多个妻子 请帮助

4

3 回答 3

0

首先,你的查询是错误的,你告诉 sql 你的脚本已经结束,它应该开始执行新的东西。我将在下面向您展示如何正确执行此操作。

另外,不要使用 mysql 特定的语法,它已经过时了,以后会给你带来真正的麻烦,特别是如果你决定使用 sqlite 或 postgresql。

此外,学习使用准备好的语句来避免 sql 注入,您希望将变量用作准备好的查询中的字符串,而不是作为 sql 的可能执行脚本。

使用 PDO 连接,您可以像这样初始化一个:

// Usage:   $db = connectToDatabase($dbHost, $dbName, $dbUsername, $dbPassword);
// Pre:     $dbHost is the database hostname, 
//          $dbName is the name of the database itself,
//          $dbUsername is the username to access the database,
//          $dbPassword is the password for the user of the database.
// Post:    $db is an PDO connection to the database, based on the input parameters.
function connectToDatabase($dbHost, $dbName, $dbUsername, $dbPassword)
{
    try
    {
         return new PDO("mysql:host=$dbHost;dbname=$dbName;charset=UTF-8", $dbUsername, $dbPassword);
    }
    catch(PDOException $PDOexception)
    {
        exit("<p>An error ocurred: Can't connect to database. </p><p>More preciesly: ". $PDOexception->getMessage(). "</p>");
    }
}

然后初始化变量:

$host = 'localhost';
$user = 'root';
$dataBaseName = 'databaseName';
$pass = '';

现在您可以通过以下方式访问您的数据库

$db = connectToDatabase($host , $databaseName, $user, $pass); // You can make it be a global variable if you want to access it from somewhere else.

现在您应该构造一个可以用作准备好的查询的查询,也就是说,它接受准备好的语句,以便您准备查询,然后执行一个变量数组,这些变量将被放入查询中,并且将避免 sql同时注入:

$query = "SELECT * FROM children WHERE EmployeeID = :employeeID;"; // Construct the query, making it accept a prepared variable.
$statement = $db->prepare($query); // Prepare the query.
$statement->execute(array(':employeeID' => $EmployeeID)); // Here you insert the variable, by executing it 'into' the prepared query.
$statement->setFetchMode(PDO::FETCH_ASSOC); // Set the fetch mode.

while ($row = $statement->fetch())
{
    $ChildName = $row['ChildName'];
    $Mother = $row['Mother'];
    $DateOfBirth = $row['DateOfBirth'];
    echo "Child Name: $ChildName";
    echo "<br />Mother: $Mother";
    echo "<br />Date of Birth: $DateOfBirth";
}

您应该使用类似的方法来接收 $EmployeeID 但这应该对您有很大帮助。

顺便说一句:记得用空格 ' ' 和正斜杠来关闭你的中断标签,就像我向你展示的那样。

于 2013-03-12T03:23:32.967 回答
0

你需要改变你的查询是这样的

<HTML>
<?php
$db = mysql_connect("localhost", "root", "");
mysql_select_db("datatest",$db);
$result = mysql_query("SELECT * FROM children WHERE EmployeeID=" . $EmployeeID, $db);
$myrow = mysql_fetch_array($result);
echo "Child Name: ".$myrow["ChildName"];
echo "<br>Mother: ".$myrow["Mother"];
echo "<br>Date of Birth: ".$myrow["DateOfBirth"];
?>
</HTML>
于 2013-03-12T03:05:54.590 回答
0

我会说更像。

$result = mysql_query("SELECT * FROM children WHERE EmployeeID='$EmployeeID'");
// as far $EmployeeID is actualy set before running a query
//but as comment says don't use mysql better something like this

<?php
$mysqli = new mysqli('localhost', 'root', 'my_password', 'my_db');
if ($mysqli->connect_error) {
    die('Connect Error (' . $mysqli->connect_errno . ') '
        . $mysqli->connect_error);
}
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT * FROM children WHERE EmployeeID=?")) {

/* bind parameters for markers */
$stmt->bind_param("s", $EmployeeID);

/* execute query */
$stmt->execute();

/* bind result variables */
$stmt->bind_result($Employee);

/* fetch value */
$stmt->fetch();

printf($Employee);

/* close statement */
$stmt->close();
}
/* close connection */
$mysqli->close();
于 2013-03-12T03:14:00.487 回答