0

请帮我弄清楚这一点。第一个查询将返回一条消息,说明 

Couldn't execute query: Unknown column 'ssd23' in 'where clause.

ssd23是价值$_POST将从 html 表单中获取的 pnumber 的值。但是,如果只有数字,它会起作用。

$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = {'$_POST['pnumber']'}") or die ("Couldn't execute query: " .mysqli_error($con));

使用变量后,下面的第二个查询将同时处理数字和字符。

$test = $_POST['pnumber'];                  
$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = '$test'") or die ("Couldn't execute query: " .mysqli_error($con));
4

1 回答 1

1

替换这个:

$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = {'$_POST['pnumber']'}") or die ("Couldn't execute query: " .mysqli_error($con));

有了这个:

$result = mysqli_query($con, "DELETE FROM Tools WHERE PartNumber = '" . $_POST['pnumber'] ."'") or die ("Couldn't execute query: " .mysqli_error($con));

注意我没有照顾上面的sql注入

更好的是使用准备语句来保护您的查询,在您的情况下,它将是这样的:

$sql= 'DELETE FROM Tools WHERE PartNumber= ?';      

$stmt = $con->prepare($sql); 
$stmt->bind_param('i', $_POST['pnumber']);
$stmt->execute();
于 2013-08-03T17:24:54.823 回答