6

我正在使用 GET 方法从 url 中检索值,然后使用 if 语句确定它们是否存在,然后针对数据库查询它们以仅显示与它们匹配的那些项目,我的请求出现未知错误。这是我的代码

$province = $_GET['province'];
$city = $_GET['city'];

if(isset($province) && isset($city) ) {         
  $results3 = mysql_query("SELECT * 
                            FROM generalinfo 
                           WHERE province = $province 
                             AND city = $city  ") 
                       or die( "An unknown error occurred with your request");          
} else {             
  $results3 = mysql_query("SELECT * FROM generalinfo");  
} /*if statement ends*/
4

1 回答 1

6

您需要在 SQL 中用单引号括住您的字符串:

"SELECT * FROM generalinfo WHERE province='$province' AND city='$city'"

请注意,以这种方式构建查询可能会使您面临 SQL 注入漏洞的风险。考虑改用mysql_real_escape_string

"SELECT * FROM generalinfo WHERE province='" .
mysql_real_escape_string($province) . "' AND city='" .
mysql_real_escape_string($city) . "'"
于 2010-05-16T22:02:12.400 回答