douanye8442 2015-02-03 15:46
浏览 23
已采纳

PHP中的SQL查询,类型未知

I would like to store a value which is sometimes a string, sometimes an integer. (In PHP and mySQL)

The variables are set up like this:

$userID = 123; // Unique primary key, always a number
$name = "nameOfTheProperty"; // Always a string
$value = "someText" or 1234; // Depending on the property to save

This works if its a integer property:

$sql = "INSERT INTO saves (`User_ID`, `$name`) VALUES ($userID, $value) ON DUPLICATE KEY UPDATE `$name`=$value";

And this if its a string property:

$sql = "INSERT INTO saves (`User_ID`, `$name`) VALUES ($userID, '$value') ON DUPLICATE KEY UPDATE `$name`='$value'";

How can I get this to work in general? Best in one query.

  • 写回答

2条回答 默认 最新

  • dongtuota3633 2015-02-03 15:53
    关注

    MySQL won't care if you pass in a 'string' to a numeric field:

    INSERT INTO (intfield, charfield) VALUES ('42', '42')

    would insert 42 into both fields.

    However, what you're doing is basically vulnerable to SQL injection attacks. You should be using a prepared statement and placeholders. Unfortunately, placeholders cannot represent anything other than VALUES, so you'd still need to build part of your query dynamically, e.g.

    $safefield = $db->real_escape_string('nameOfField');

$sql = "INSERT INTO yourtable (`$safefield`) VALUES (?)";
$stmt = $db->prepare($sql);
$stmt->execute(array($value_for_field));
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 springboot 3.0 实现Security 6.x版本集成
  • ¥15 PHP-8.1 镜像无法用dockerfile里的CMD命令启动 只能进入容器启动,如何解决?(操作系统-ubuntu)
  • ¥15 请帮我解决一下下面六个代码
  • ¥15 关于资源监视工具的e-care有知道的嘛
  • ¥35 MIMO天线稀疏阵列排布问题
  • ¥60 用visual studio编写程序,利用间接平差求解水准网
  • ¥15 Llama如何调用shell或者Python
  • ¥20 谁能帮我挨个解读这个php语言编的代码什么意思?
  • ¥15 win10权限管理,限制普通用户使用删除功能
  • ¥15 minnio内存占用过大,内存没被回收(Windows环境)