如何将 MySQL 选择查询值放入 PHP 变量中?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16088810/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get MySQL select query values into a PHP variable?
提问by Mark
I know I need to use the MySQL fetch to prevent getting a resource ID in my variable but I wondered if you could help me out how to do that. I see from several tutorials they use a loop but I just want to select the one string into a variable. Here is the code I have:
我知道我需要使用 MySQL fetch 来防止在我的变量中获取资源 ID,但我想知道您是否可以帮我解决这个问题。我从几个教程中看到他们使用循环,但我只想将一个字符串选择到一个变量中。这是我的代码:
$img = mysql_query('SELECT pname FROM photos WHERE pphotoid=21');
echo $img;
I basically want $imgto contain the string in the database not Resource id #3it is currently showing. Also is what I wrote prone to an SQL injection?
我基本上想$img在数据库中包含字符串,而不是Resource id #3当前显示的字符串。我写的东西也容易被 SQL 注入?
Learning MySQL so any help would be great!
学习 MySQL,所以任何帮助都会很棒!
采纳答案by Robert
$handle = mysql_query('SELECT pname FROM photos WHERE pphotoid=21');
$row = mysql_fetch_row($handle);
echo $img[0];
http://pl1.php.net/mysql_fetch_row
http://pl1.php.net/mysql_fetch_row
this code will work for you.
这段代码对你有用。
To prevent SQL injection you should use escape functions like mysql_escape_string() you should also check what is your input and valid it
为了防止 SQL 注入,你应该使用像 mysql_escape_string() 这样的转义函数,你还应该检查你的输入是什么并验证它
here you will learn more
在这里你会学到更多
How can I prevent SQL injection in PHP?
also it's better to use PDO because mysql_* are deprecated as of PHP 5.5.0, and will be removed in the future.
最好使用 PDO,因为 mysql_* 从 PHP 5.5.0 起已被弃用,将来会被删除。
here is tutorial to learn connecting to db with PDO
这是学习使用 PDO 连接数据库的教程
http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
your code in PDO(assuming you are connected to db) will look like: $id = intval(21); //this code here is senseless however if you get 21 for example via $_GET it will cast it to integer and prevent injection
您在 PDO 中的代码(假设您已连接到 db)将如下所示: $id = intval(21); //这里的代码毫无意义,但是如果你通过 $_GET 得到 21,它会将它转换为整数并防止注入
$stmt = $db->prepare("SELECT pname FROM photos WHERE pphotoid=?");
$stmt->execute(array($id));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
echo $row['pname'];
回答by Hanky Panky
$img=mysql_fetch_assoc(mysql_query('SELECT pname FROM photos WHERE pphotoid=21'));
echo $img["pname"];
Better would be
更好的是
$img=mysqli_fetch_assoc(mysqli_query($link,'SELECT pname FROM photos WHERE pphotoid=21'));
echo $img["pname"];
回答by Jason
I like the following:
我喜欢以下内容:
connection.php:
连接.php:
//All the $*_db variables are pulled from a file kept outside of the document root directory but referenced here to connect to the database
include('/path/to/file/not/in/docroot/connection_info.php');
$DBi = mysqli_connect($hostname_db, $username_db, $password_db, $database_db);
if($mysqli->connect_error) {
//Do something for errors here...
};
file.php
文件.php
include('connection.php');
$q_myQuery = "SELECT `pname` FROM `photos` WHERE `pphotoid` = 21";
$rsmyQuery = mysqli_query($DBi, $q_myQuery) or die(mysqli_error($DBi));
$row_rsmyQuery = mysqli_fetch_assoc($rsmyQuery);
$img = $row_rsmyQuery['pname'];
That's using mysqli*functions, not mysql*which have been deprecated. More on that here: http://us3.php.net/manual/en/mysqlinfo.api.choosing.php
那是使用mysqli*函数,而不是mysql*已被弃用的函数。更多关于这里:http: //us3.php.net/manual/en/mysqlinfo.api.choosing.php
