这是我想要做的
{
{
$sql="SELECT ISO_id,gdp,population,country_name,gold,silver,bronze,total FROM Country ORDER BY (46034/($_GET["x"]*bronze)+($_GET["y]*silver]+(z*gold)*(gdp/population))"; // chosen to order my html table with the number the medals each country won at the olympics
}
}
但是我不知道如何在语句中包含 $_GET
$sql="SELECT
ISO_id,
gdp,
population,
country_name,
gold,
silver,
bronze,
total,
(46034/(" . $_GET["x"] . "*bronze)+(" . $_GET["y"] . "*silver]+(z*gold)*(gdp/population)) as number_medals
FROM Country
ORDER BY number_medals";
Be careful of sql injection....
its a good idea to first make the get variable into a separate variable then from there clean it up because putting get variables straight into an sql statement leaves you open to sql injection.
Say the url looks like this. http://www.mysite.com?ID=4 to get at the id you would go $_GET[ID] or to be safe $id = $_GET[ID] and from here do some work to clean any bad data from the id. http://php.net/manual/en/function.mysql-real-escape-string.php this will help you out a bit but still its never 100% save.
I remember back when i was trying to figure this out and i didnt want to look at alternatives i just wanted to make it work but a word of advice would be to use PDO prepared statements. They are a little tricky to understand at first but this guide is pretty good and will explain how to do it quite easily. PDO keeps you safe from sql injection.
要在当前语句中使用 $_GET 参数,请使用:
$sql="
SELECT ISO_id,gdp,population,country_name,gold,silver,bronze,total
FROM Country
ORDER BY (46034/(" . $_GET["x"] . "*bronze)+(" . $_GET["y"] . "*silver]+(z*gold)*(gdp/population))";
但是,请注意,这会使您面临 SQL 注入攻击,因此您应该考虑在此类查询中使用之前过滤您的输入。有关详细信息,请参阅如何防止 PHP 中的 SQL 注入?
ORDER BY另外,请注意,长崎在评论中指出,您的条款似乎有错误。您应该按列名排序。
只需添加大括号
{ { $sql="SELECT ISO_id,gdp,population,country_name,gd,silver,bronze,total FROM Country ORDER BY (46034/({$_GET["x"]}*bronze)+({$_GET["y ]}*silver]+(z*gold)*(gdp/population))"; // 选择用每个国家在奥运会上获得的奖牌数量来订购我的 html 表格 } }