返回NULL THST执行查询
问题描述:
我的问题是我的函数返回空值,并且不执行我的查询返回NULL THST执行查询
function getUsers($username,$fields = '*')
{
$db_host = "localhost";
$db_user = "root";
$db_pass = "";
$db_name = 'filemanagerusers';
$connection = new mysqli($db_host,$db_user,$db_pass,$db_name);
////////////////////////////////////////////////////////////////
$query = "select $fields from users where username=".$username;
$result = $connection->query($query);
$customers = mysqli_fetch_assoc($result);//etelaate user dar ghalebe yek array be ma barmigarde
return $customers;
}
答
快速不安全修复你(但不最好由于SQL注入): -
$query = "select $fields from users where username= '$username'";
注意: - 用引号括起$username
使其成为字符串。
的首选方法: -
始终使用prepared statements
的mysqli_*
防止SQL Injection
象下面这样: -
function getUsers($username,$fields = '*')
{
$db_host = "localhost";
$db_user = "root";
$db_pass = "";
$db_name = 'filemanagerusers';
$connection = mysqli_connect(($db_host,$db_user,$db_pass,$db_name);
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
if ($stmt = mysqli_prepare($connection, "SELECT $fields FROM users where username=?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "s", $username);
/* execute query */
mysqli_stmt_execute($stmt);
/* bind result variables */
mysqli_stmt_bind_result($stmt, $customers);
/* close statement */
mysqli_stmt_close($stmt);
/* return result*/
return $customers;
}
}
+2
第二个剪辑应该是唯一提供的解决方案。另外,必须确保'$ fields'不是用户控制的。 – 2017-08-08 13:29:31
你确定你的'用户名是一个整数?如果未包含在引号内 – Thamilan
开始检查失败查询时的错误。 – deceze
你有什么错误吗? –