dongmiao4733 2009-08-26 23:04
浏览 37
已采纳

使用PHP在MySQL INSERT QUERY中检查变量存在的简明方法

I am writing a PHP script to add items to a shopping basket. My shopping basket table has fields for the userid, product id, session id, notes and a few others. Some of the fields can be blank. For example:

if someone isn't signed in, then I will store their session id in the table and, if they sign in, add their userid so I have a permanant way to match the items in the table to the user. If they are, I'll add the userid. When it comes to the INSERT query, can I do something like this:

$add_sql = "INSERT into sessionBasket (userid) VALUES ( '". isset($_SESSION["userid"]) ? $_SESSION["userid"] : "") ."'";

It would save me so much time on variable checking and branching because people could be signed in or not, items could have notes or not, that sort of thing.

  • 写回答

1条回答 默认 最新

  • douqiang7462 2009-08-26 23:12
    关注

    Yikes! SQL Injection! you could lose your whole database

    You should be looking at prepared statements for your sql insertion.

    You need to use the mysqli interface but it goes like this:

    $statement = $db_connection->prepare("insert into ... VALUES(?)");
$statement->bind_param("id", $sid);
$statement->execute();

    This will prevent sql injection attacks.

    At an absolute minimum you should at least escape the string.

    $sid = isset($_SESSION[userid]) ? mysql_real_escape_string($_SESSION[userid])) : '';
$add_sql = "insert into ... values($sid)";
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)
  • ¥15 相敏解调 matlab
  • ¥15 求lingo代码和思路
  • ¥15 公交车和无人机协同运输
  • ¥15 stm32代码移植没反应
  • ¥15 matlab基于pde算法图像修复,为什么只能对示例图像有效
  • ¥100 连续两帧图像高速减法
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作