我用变量代替了sql中的语句就无法从mysql数据库中读取先关的数据了?究竟是为什么?
<?php
if($_GET["dish_kind_breakfast1"]!="暂无"){
$sql="SELECT * FROM dishList_table WHERE dish_kind= '".$_GET["dish_kind_breakfast1"]."' AND vegetarian='".$_GET["vegetarian_breakfast1"]."'AND ".$bodyRequireOne."AND" .$bodyRequireTwo;
$result=$conn->query($sql);
if($result->num_rows>0){
$row=$result->fetch_assoc();
}else{
echo "there is no result.sorry";
}
}
?>
代码如果像上面这样写的话,就无法从数据库中读取。虽然 echo $sql 如下:
SELECT * FROM dishList_table WHERE dish_kind= '粥' AND vegetarian='素食'AND yang_deficiency_constitution='TRUE'ANDbalanced_constitution='TRUE'
但如果我把变量$bodyRequireOne和变量$bodyRequireTwo对应的变量直接写入如下,又可以获取数据:
<?php
if($_GET["dish_kind_breakfast1"]!="暂无"){
$sql="SELECT * FROM dishList_table WHERE dish_kind= '".$_GET["dish_kind_breakfast1"]."' AND vegetarian='".$_GET["vegetarian_breakfast1"]."'AND yang_deficiency_constitution='TRUE'AND balanced_constitution='TRUE'";
$result=$conn->query($sql);
if($result->num_rows>0){
$row=$result->fetch_assoc();
}else{
echo "there is no result.sorry";
}
}
?>
我把 $sql echo 出来对比了,也没有发现什么错误,究竟为什么?还望指点,谢谢!
看起来没有啥错误,使用转义试一试:
$bodyRequireOne = mysqli_real_escape_string($conn, $bodyRequireOne);
$bodyRequireTwo = mysqli_real_escape_string($conn, $bodyRequireTwo);
$sql = "SELECT * FROM dishList_table WHERE dish_kind = '".$_GET["dish_kind_breakfast1"]."'
AND vegetarian = '".$_GET["vegetarian_breakfast1"]."'
AND ".$bodyRequireOne." AND ".$bodyRequireTwo;
谢谢您的回答!完美解决,想想可能这个mysqli_real_escape_string()函数可能是为了防止攻击数据库而设置的,所以表达式要通过它转义才可以哦。