-1

我的问题很混乱,但我们开始吧。我用来将数据发布到“blogposts”表中。我的问题是要插入的查询的最后一个值是图片(BLOB)。这些数据需要从用户个人资料中提取(另一个表)。所以我的问题是,有没有办法在 SQL 中的 VALUES() 语句中使用 SUBQUERY 来获取帐户用户的个人资料图片?

这是我的无效查询代码:

<?php
    require_once('startsession.php');
    require_once('appvars.php');
    require_once('connectvars.php');

    $con=mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME);
    // Check connection
    if (mysqli_connect_errno())
      {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
      }

    $sql="INSERT INTO blogposts (name, subject, message, post_time, profPic)
    VALUES
    ('$_SESSION[username]','$_POST[subject]','$_POST[message]',current_timestamp,IN(SELECT picture
                                                                                    FROM player
                                                                                    WHERE user_id
                                                                                    EQUALS" . $_SESSION['user_id'] . ")";

    if (!mysqli_query($con,$sql))
      {
      die('Error: ' . mysqli_error($con));
      }
    echo "1 record added";

    mysqli_close($con);
    $page='index.php';
    header('Location:'.$page);
?>
4

1 回答 1

1 
$username = mysqli_real_escape_string($con,$_SESSION['username']);
$userid = mysqli_real_escape_string($con,$_SESSION['userid']);
$subject= mysqli_real_escape_string($con,$_POST['subject']);
$message= mysqli_real_escape_string($con,$_POST['message']);

$sql="INSERT INTO blogposts (name,subject,message,post_time,profPic)
SELECT '$username', 
 '$subject',  
 '$message', 
 CURRENT_TIMESTAMP, 
 picture
  FROM player WHERE user_id = '$user_id';";

$result = mysqli_query($con,$sql);

如评论中所述,查看 SQL 注入和 mysqli_real_escape_string 函数(http://php.net/manual/en/mysqli.real-escape-string.php

编辑:更新以包括程序样式转义字符串和正确的语法

于 2013-07-01T01:51:59.347 回答