0

I have multiple dropdown menus. When the user clicks submit button. The isset function in the if clause is triggerd and the following code gets executed

 if(isset($_POST["submit"]))
  {
     $player_id = $_REQUEST['players'];
     var_dump ($player_id);
            for($i=0; $i < sizeof($player_id); $i++) //query database with different player_id each time
            {
                foreach ($player_id as $id){
                    $query = 'SELECT `name`  FROM `player_info`
                    WHERE `player_id` = '.$id;
                    $return_names = mysql_query($query) or die(mysql_error());
                                            }
                        while($row = mysql_fetch_array($return_names))
                        {
                            $selected[] = $row['name'];     
                        }                   
                        var_dump($selected);
                    }
                }

What the above code should do is return the names, of the players, the user selected. However when I open it I get this:

enter image description here

Notice the $player_id array which I use in the 1st var_dump holds the different player_id values.

However when I do a var_dump on the second array $selected the array contains only the values "Burger"

I suspect the problem is in the foreach loop and the way I query the database. If someone could point me in the right direction it would be greatly appreciated. Thanks in advance.

4

5 回答 5

2

使用原力,卢克!使用像safeMysql这样的抽象库,它将是行代码

$sql = 'SELECT name  FROM player_info WHERE player_id in (?a)';
$names = $db->getCol($sql,$_POST['players']);

而且,与您的不同 - 它可以安全注射。

于 2013-10-06T10:35:45.340 回答
0

删除for循环,它应该可以工作。您想迭代每个玩家 id,您正在使用foreach. for外面是不需要的。

于 2013-10-06T10:29:35.777 回答
0

该循环for($i=0; $i < sizeof($player_id); $i++)是一个过度循环。你没有使用$i这个循环,所以你不需要它。试想一下,如果您的 $player_id 数组有 3 个项目,您将循环它,并且在此循环的每一步中,您还将使用foreach循环再次循环整个 $player_id 数组。

此外,您正在使用不安全的方法在查询中传递变量。我认为的最佳实践是养成将收入 $_POST 变量转换为int是否建议为数字的习惯。它只是一个字符串$player_ids = array_map('intval', $_REQUEST['players']);,或$id = (int)$_POST['id'],或$number = (int)$_GET['number'],等等。

另一件事是过度查询您的数据库。您可以使用一个带有运算符的查询,而不是为每个 ID 创建单独的查询,IN右侧是由逗号连接的所有 ID。

您的代码的另一个安全变体是:

if ( isset($_POST['submit']) ) {
    $player_ids = array_map('intval', $_REQUEST['players']);

    //var_dump($player_ids);

    $query = 'SELECT `name` 
        FROM `player_info` 
        WHERE `player_id` IN (' . implode(',', $player_ids) . ')';

    $return_names = mysql_query($query) or die(mysql_error());

    while ( $row = mysql_fetch_assoc($return_names) ) {
        $selected[] = $row['name'];
    }

    //var_dump($selected);
}
于 2013-10-06T11:12:06.303 回答
0

您实际上是在两次运行相同的循环。取出

for($i=0; $i < sizeof($player_id); $i++){}
于 2013-10-06T10:44:04.390 回答
-1

你无缘无故地双循环。

此外,当您SELECT为每个玩家 id 执行一个时,您正在尝试在外部迭代结果foreach,这意味着您最终只迭代最后一个。

此外,SELECT只要它们最多生成一行,您的任何一个都不需要迭代。

试试这样:

if(isset($_POST["submit"]))
  {
  $player_id = $_REQUEST['players'];
  var_dump ($player_id);
  foreach ($player_id as $id)
    {
    $query = 'SELECT `name`  FROM `player_info` WHERE `player_id` = '.$id;
    $return_names = mysql_query($query) or die(mysql_error());
    $row=mysql_fetch_array($return_names); // at most one -- or not?
    if($row)
      {
      $selected=$row['name'];     
      var_dump($selected);
      }
    else
      echo "Player with id $id not found in DB!";
    }
  }
于 2013-10-06T10:47:18.663 回答