使用MySQL创建一个php变量

我遇到了问题,我不知道如何解决它。
我试着做一个简单的if语句 用php变量。 变量包含MySQL SELECT值。</ p>

  $ adminarray = $ mysqli-&gt; query(“SELECT admin FROM user WHERE name LIKE'$ username'”); 
\ n $ currentuser = mysqli_fetch_row($ adminarray);

$ adm = $ currentuser [0];

echo“&lt; form action ='?delete1'method ='post'style ='visibility:” ; if($ adm = 1){echo“block”;} else {echo“hidden”;} echo“'&gt;
</ code> </ pre>

我试图隐藏 非管理员按钮($ adm = 0)但它不起作用.IFR Statemant总是返回“true”。即使$ adm为0。</ p>

我知道代码是'n' 那很好,但我还在学习。所以如果你能给出一些提示:)</ p>

感谢您的回答</ p>
</ div>

展开原文

原文

I have a Problem and I don't know how to solve it. I try to make a simple if statement with a php variable. The Variable contains a MySQL SELECT value.

$adminarray = $mysqli->query("SELECT admin FROM user WHERE name LIKE '$username'");

$currentuser = mysqli_fetch_row($adminarray);

$adm = $currentuser[0];


echo "<form action='?delete1' method='post' style='visibility:";if ($adm = 1){echo "block";}else{echo "hidden";}echo "'>

I try to hide the button for non admins ($adm = 0) but it is not working. The IF Statemant always returns a "true". even if $adm is 0.

I know the code isn't that good, but I'm still learning. So if you can give some tips :)

Thanks for answering

dongqixuan3112
dongqixuan3112 警告:使用mysqli时,您应该使用参数化查询和bind_param将用户数据添加到查询中。不要使用字符串插值或连接来完成此操作,因为您已经创建了严重的SQL注入错误。永远不要将$_POST或$_GET数据直接放入查询中,如果有人试图利用您的错误,这可能是非常有害的。
3 年多之前 回复
douhui3760
douhui3760 if($adm=1)将$adm设置为1,而不是比较它。
3 年多之前 回复
douao8204
douao8204 3个不同等于的可能重复
3 年多之前 回复
dsvf46980
dsvf46980 实际上毫无疑问。他只是想要一些提示。
3 年多之前 回复
dongzhuo1930
dongzhuo1930 您可以继续学习,但请尽量提问。我不知道你在问什么。请参阅如何询问。
3 年多之前 回复

2个回答



首先,使用三元运算符用于内联comperison并阅读 </ p>

其次,不要写几个以分号分隔的字符串。 PHP中的 Semicolon 意味着教学结束,它会更好 在新行中写每个,所以更容易阅读和维护代码</ p>

第三,始终转义数据并在将其索引为数组之前检查变量类型( is_array isset )</ p>

Finnaly,使用IDE(PhpStorm,NetBeans等),它将帮助您防止出现此类错误</ p>

  $ username = $ mysqli-&gt; real_escape_string($ username); 
$ adminarray = $ mysqli-&gt; query(“SELECT admin FROM user WHERE name LIKE'$ username'”);

$ currentuser = mysqli_fetch_row($ adminarray);

$ adm = is_array($ currentuser)? $ currentuser [0]:null;
$ visibility = $ adm == 1? “阻止”:“隐藏”;

echo“&lt; form action ='?delete1'method ='post'style ='visibility:$ visibility'&gt;”;
</ code> </ pre> \ n

还值得注意的是,在使用参数时,预准备语句优于纯SQL查询。 在这种情况下,代码看起来会略有不同:</ p>

  $ stmt = $ mysqli-&gt; prepare(“SELECT admin FROM user WHERE name LIKE?”); 
$ stmt- &gt; bind_param('s',$ username);
$ stmt-&gt; execute();
$ row = $ stmt-&gt; get_result() - &gt; fetch_row();
$ visibility =(is_array ($ row)&amp;&amp; $ row [0] == 1)? “阻止”:“隐藏”;

echo“&lt; form action ='?delete1'method ='post'style ='visibility:$ visibility'&gt;”;
</ code> </ pre> \ n

有关预备语句的更多详细信息,请参见此处: 准备好的陈述 </ p>
</ div>

展开原文

原文

Firstly, use ternary operator for inline comperison and read about comparison operators in PHP

Secondly, do not write a few strings that separated by semicolon together. Semicolon in PHP means end of instruction and it's better to write each in new line, so it will be easier to read and maintain the code

Thirdly, always escape data in SQL queries and check type of variable before indexing it as array(is_array, isset)

Finnaly, use IDE (PhpStorm, NetBeans etc) it will help you to prevent doing such mistakes

$username = $mysqli->real_escape_string($username);
$adminarray = $mysqli->query("SELECT admin FROM user WHERE name LIKE '$username'");

$currentuser = mysqli_fetch_row($adminarray);

$adm = is_array($currentuser) ? $currentuser[0] : null;
$visibility = $adm == 1 ? "block" : "hidden";

echo "<form action='?delete1' method='post' style='visibility:$visibility'>";

It is also worth noting that prepared statements are preferable to plain SQL queries when you are using parameters. In that case code will look slightly different:

$stmt = $mysqli->prepare("SELECT admin FROM user WHERE name LIKE ?");
$stmt->bind_param('s', $username);
$stmt->execute();
$row = $stmt->get_result()->fetch_row();
$visibility = (is_array($row) && $row[0] == 1) ? "block" : "hidden";

echo "<form action='?delete1' method='post' style='visibility:$visibility'>";

More details about prepared statements you can find here: Prepared Statements

dongping9475
dongping9475 不要像这样使用手动转义。 与简单地使用预准备语句和bind_param相比,它更容易出错并且更加冗长。
3 年多之前 回复



好的,我现在感觉真的很蠢。
我写了$ adm = 1而不是$ adm == 1.
我是 真的很抱歉浪费时间。</ p>
</ div>

展开原文

原文

Ok, I feel really stupid right now. I wrote $adm = 1 instead of $adm == 1. I'm really sorry for the waste of time.

drl2051
drl2051 没有压力,你正在学习。 我们都会犯这样的错误。
3 年多之前 回复
dqiz20794
dqiz20794 你并不是唯一一个被咬过的人。 我认为Pascal,PL / I和Oracle PL / SQL使用:=(冒号等于)运算符符号进行赋值是有原因的。
3 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问