我遇到了数据未显示的问题。当我在上面放一个OR时,它确实会显示出来,但是or导致用户2与user1具有相同的数据。
<?php
include 'users.php';
require_once("db_connect.php");
//prepared statement with PDO to query the database
$stmt = $db->prepare("SELECT * FROM requests WHERE User='.$user1.' AND status='Received' ORDER BY id DESC);
$stmt->execute();
?>
用户.php
<?php
$user1 = xxxx;
$user2 = zzzz;
?>
$stmt = $db->prepare("SELECT * FROM requests WHERE User='.$user1.' AND status='Received' ORDER BY id DESC);
如果$user1 = 1
,那么您的 SQL 将是:
SELECT * FROM requests WHERE User='.1.'.
你在外字符串上有双引号,所以你不会转义字符串并连接,这些将是文字点,并且你永远不会在末尾关闭你的外字符串。 另外,如果您打算将变量直接注入字符串,我不确定使用 prepare 的意义......?
应该看起来更像这样:
$stmt = $db->prepare("SELECT * FROM requests WHERE User=:user AND status='Received' ORDER BY id DESC");
$stmt->execute(array(':user' => $user1));
如果你想按照自己的方式做,你可以用以下方法修复看起来像拼写错误的内容:
$stmt = $db->prepare("SELECT * FROM requests WHERE User='".$user1."' AND status='Received' ORDER BY id DESC");
或
$stmt = $db->prepare("SELECT * FROM requests WHERE User='{$user1}' AND status='Received' ORDER BY id DESC");
但是,这两种方法都不安全。他们面临SQL注入攻击的风险。 您应该使用预准备语句,如我所显示的 :user 变量所示,PDO在注入字符串之前首先清理该变量。
要获取计数,请执行以下操作:
$stmt = $db->prepare("SELECT COUNT(*) AS rows_cnt FROM requests WHERE status='Received' AND User=:user");
$stmt->execute(array(':user'=>$user1));
if( false !== ($row = $stmt->fetch(PDO::FETCH_ASSOC)) ) {
echo $row['rows_cnt'];
}
可能是一个错字,但似乎你没有在行尾关闭"
$stmt = $db->prepare("SELECT * FROM requests WHERE User='.$user1.' AND status='Received' ORDER BY id DESC);
所以试试这个:
$stmt = $db->prepare("SELECT * FROM requests WHERE User='.$user1.' AND status='Received' ORDER BY id DESC");