$sql = "INSERT into x (y,z,t)
VALUES ((SELECT userID FROM users WHERE username ='".$usersql."'),"
."'"."(SELECT itemID from items WHERE category ='".$category."'),"
."'".$amountdays."')";
感谢您的时间。
问问题
56 次
2 回答
0
一点点格式化将有很长的路要走:
$sql = "INSERT into x
(
y,
z,
t
) VALUES (
(SELECT userID FROM users WHERE username = ?),
(SELECT itemID from items WHERE category = ?),
?
);
";
于 2019-11-20T20:47:11.077 回答
0
您应该将 PDO 或 mysqli 与准备好的语句一起使用。然后,您可以为您的值定义变量并在查询后设置它们。这使它更具可读性,并且可以防止代码中的 sql 注入。
https://www.php.net/manual/de/pdo.prepared-statements.php
$stmt = $dbh->prepare("INSERT into x (y,z,t)
VALUES (
SELECT userID FROM users WHERE username = :username,
SELECT itemID FROM items WHERE category = :category,
:amountdays
)";
$stmt->bindParam(':username', $username);
$stmt->bindParam(':category', $category);
$stmt->bindParam(':amountdays', $amountdays);
类似的东西。
于 2019-11-20T20:49:10.430 回答