douyi8760 2016-03-16 00:38
浏览 35
已采纳

无法在php文件的查询中获取变量

<?php
      echo "
          <html>
            <body style=\"background-color:#d3ddd1\">
              <form method=\"post\" name=\"report\" >
              <p>Counselor Report</p>
              <p>Enter email address</p>
              <input type=\"email\" name=\"email\" /><br />
              <p>Select a start date</p>
              <input type=\"date\" name=\"from\" /><br />
              <p>Select an end date</p>
              <input type=\"date\" name=\"until\" /><br />
              <p>Click Below</p>
              <input type=\"submit\" value=\"run report\" />

              </form>
            </body>
           </html> ";
  function get_report() 
     {
      $e_mail = $_POST['email'];
      include ('dbconn.php');
      $sql = "SELECT a.user_email,a.ID, b.ID, b.post_title 
"
       . " FROM
"
       . " wp_posts b
"
       . " INNER JOIN
"
       . " wp_users a
"
       . " ON
"
       . " a.user_email ='".$e_mail."' AND a.ID=b.ID
"
       . " ORDER BY
"
       . " post_date";
       $result = $conn->query($sql);
         var_dump($results);
 }
  get_report();
  ?>'

First time question. I can use a real email address in the query with phpmyadmin and get a proper return, I try to incorporate a variable in the php query to the db and get a return of NULL, which is not the same return. No errors reported.

Question: What syntax do I use with the variable to enable functionality with php.?

  • 写回答

1条回答 默认 最新

  • dqrmkdu25623 2016-03-16 00:43
    关注
    $result = $conn->query($sql);
var_dump($results);

    Check the spelling of your variable name.

    Having said that, you really should be using a prepared statement for this. The syntax would be

    $sql = "SELECT a.user_email, a.ID, b.ID, b.post_title
         FROM wp_posts b
         INNER JOIN wp_users a
           ON a.ID = b.ID
         WHERE a.user_email = ?
         ORDER BY post_date";
$stmt = $conn->prepare($sql);
$stmt->bind_param('s', $e_mail);  // 's' means param is a string
$stmt->execute();
$result = $stmt->get_result(); // returns a mysqli_result object

    The clause WHERE a.user_email = ? includes a parameter placeholder which will be filled in later by a call to mysqli_stmt::bind_param().

    In addition to helping protect against SQL injection, prepared statements automagically handle parameter type matching, quoting and escaping for you.

    As is my custom, I leave error handling as an exercise for the reader.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式
  • ¥30 数值计算均差系数编程
  • ¥15 redis-full-check比较 两个集群的数据出错
  • ¥15 Matlab编程问题
  • ¥15 训练的多模态特征融合模型准确度很低怎么办
  • ¥15 kylin启动报错log4j类冲突
  • ¥15 超声波模块测距控制点灯,灯的闪烁很不稳定,经过调试发现测的距离偏大
  • ¥15 import arcpy出现importing _arcgisscripting 找不到相关程序