gpt4 book ai didi

php - 如何使用 mysqli 编写具有可变数量的用户提供的值的安全 SELECT 查询?

转载 作者:行者123 更新时间:2023-11-29 09:40:41 24 4
gpt4 key购买 nike

我需要一些帮助来在我的代码中执行 foreach。

我将多个值发布到用户名中:作为 username[0] = user1 , user2
但是我的 foreach 只给了我最后一个条目或什么都没有的结果。

$companyname = $_POST['companyname'];
$username_grab = $_POST['username'];
$username = implode(",", $username_grab);

foreach ($username_grab as $value){
$value = $username_grab;

$sql = "select * from linked_user where username = '$value' and company_name = '$companyname'";
$res = mysqli_query($conn,$value);
while($row = mysqli_fetch_array($res)){
$returnValue['username'] = $row['username'];
$returnValue['user_scid'] = $row['user_scid'];
}
}
echo json_encode($returnValue);
?>

最佳答案

您要执行的任务是带有可变数量占位符的预准备语句。这在 PDO 中更简单,但我将向您展示 mysqli 面向对象风格的方法。不管怎样,总是打印一个 json 编码的数组,这样你的接收脚本就知道期望什么样的数据类型。

我有一个片段,其中包括完整的诊断和错误检查。我没有测试过这个脚本,但它与 this post of mine 非常相似。 .

if (empty($_POST['companyname']) || empty($_POST['username'])) {  // perform any validations here before doing any other processing
exit(json_encode([]));
}

$config = ['localhost', 'root', '', 'dbname']; // your connection credentials or use an include file
$values = array_merge([$_POST['companyname']], explode(',', $_POST['username'])); // create 1-dim array of dynamic length
$count = sizeof($values);
$placeholders = implode(',', array_fill(0, $count - 1, '?')); // -1 because companyname placeholder is manually written into query
$param_types = str_repeat('s', $count);
if (!$conn = new mysqli(...$config)) {
exit(json_encode("MySQL Connection Error: <b>Check config values</b>")); // $conn->connect_error
}
if (!$stmt = $conn->prepare("SELECT user_scid, user_scid FROM linked_user WHERE company_name = ? AND username IN ({$placeholders})")) {
exit(json_encode("MySQL Query Syntax Error: <b>Failed to prepare query</b>")); // $conn->error
}
if (!$stmt->bind_param($param_types, ...$values)) {
exit(json_encode("MySQL Query Syntax Error: <b>Failed to bind placeholders and data</b>")); // $stmt->error;
}
if (!$stmt->execute()) {
exit(json_encode("MySQL Query Syntax Error: <b>Execution of prepared statement failed.</b>")); // $stmt->error;
}
if (!$result = $stmt->get_result()) {
exit(json_encode("MySQL Query Syntax Error: <b>Get Result failed.</b>")); // $stmt->error;
}
exit(json_encode($result->fetch_all(MYSQLI_ASSOC)));

如果您不想要所有这些诊断条件和评论的臃肿,这里是应该执行相同的裸骨等效:
if (empty($_POST['companyname']) || empty($_POST['username'])) {
exit(json_encode([]));
}

$values = explode(',', $_POST['username']);
$values[] = $_POST['companyname'];
$count = count($values);
$placeholders = implode(',', array_fill(0, $count - 1, '?'));
$param_types = str_repeat('s', $count);

$conn = new mysqli('localhost', 'root', '', 'dbname');
$stmt = $conn->prepare("SELECT user_scid, user_scid FROM linked_user WHERE username IN ({$placeholders}) AND company_name = ?");
$stmt->bind_param($param_types, ...$values);
$stmt->execute();
$result = $stmt->get_result();
exit(json_encode($result->fetch_all(MYSQLI_ASSOC)));

关于php - 如何使用 mysqli 编写具有可变数量的用户提供的值的安全 SELECT 查询?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56713567/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com