0

我的 PHP 文件包含以下函数。当我将 review 列设置为 2 时,它可以工作'$review'IdUser但我需要IdUser将变量设置为$userIdUser设置变量而不是常量的正确语法是什么?(最好以一种避免 SQL 注入攻击的方式)。

function addRatings2($review, $user) {  
    //try to insert a new row in the "ratings" table with the given UserID
    $result = query("UPDATE ratings SET review ='$review' WHERE IdUser = 2 order by dateTime desc limit 1");    
}
4

4 回答 4

1

嗨,正确的语法是使用

{$var}无论您希望 var 的当前值出现在哪里,所以在您的情况下,它会是

$result = query("UPDATE ratings SET review ='{$review}' WHERE IdUser = {$user}
order by dateTime desc limit 1");
于 2013-05-23T03:02:07.243 回答
1

您必须像以前那样对字符串使用单引号,但对于整数不需要

query("UPDATE ratings SET review ='$review' WHERE IdUser = $user order by dateTime desc limit 1");
于 2013-05-23T03:12:27.817 回答
1

//防注入

$user = (int)$user;

$review = mysql_real_escape_string($result); //mysqli_real_escape_string会更好

$result = query("UPDATE ratings SET review ='$review' WHERE IdUser = $user order by dateTime desc limit 1");

于 2013-05-23T03:09:13.287 回答
0

试试这个。 function addRatings2($review, $user) {

$review = mysql_real_escape_string($review);

$user = (int)$user 

$result = query("UPDATE ratings SET review ='$review' WHERE IdUser = $user order by        dateTime desc limit 1");

}

于 2013-05-23T03:29:54.650 回答