mit Variable innerhalb von MySQL Update-Abfrage in PHP

Question

<?php 
    require 'functions/connection.php'; 
    $conn = Connect(); 
    $e_id = $conn->real_escape_string($_POST['e_id']); 
    $first_name = $conn->real_escape_string($_POST['first_name']); 
    $last_name = $conn->real_escape_string($_POST['last_name']); 
    $e_salary = $conn->real_escape_string($_POST['e_salary']); 
    $e_startdate = $conn->real_escape_string($_POST['e_startdate']); 
    $e_department = $conn->real_escape_string($_POST['e_department']);   
    $sql = "UPDATE employee SET firstname='$first_name' WHERE id=$e_id"; 
    if (mysqli_query($conn, $sql)) { 
     echo "Record updated successfully"; 
    } else { 
     echo "Error updating record: " . mysqli_error($conn); 
    } 
    mysqli_close($conn); 
?> 

Ich versuche, die Variable first_name innerhalb der Update-Abfrage zu verwenden.

Ich habe versucht, die Variable und ihre Funktionsweise ... Dies ist mein Verbindungscode, den ich benutze.

<?php 


function Connect() 
{ 
$dbhost = "localhost"; 
$dbuser = "root"; 
$dbpass = ""; 
$dbname = "company"; 

// Create connection 
$conn = new mysqli($dbhost, $dbuser, $dbpass, $dbname) or die($conn->connect_error); 

return $conn; 
} 

?> 

wenn ii die Variable mit etwas zwischen "" die Datenbank

aktualisiert wird immer ersetzen

Answer 1

functions/connection.php (jetzt ein Objekt):

<?php 
class Connect 
{ 
private $dbhost = "localhost"; 
private $dbuser = "root"; 
private $dbpass = ""; 
private $dbname = "company"; 

public $conn; 

public function __construct() 
{ 
    if($this->conn = new mysqli($this->dbhost, $this->dbuser, $this->dbpass, $this->dbname)) 
    { 
     //connection established 
     //do whatever you want here 
    } 
    else 
    { 
     //Error occurred 
     die($this->conn->error); 
    } 
} 

//other functions here 

} 

?> 

ändern mysqli_query zu: $conn->conn->query($sql);

Vorbereitet Aussage: Avoid SQLI injection

if($stmt = $conn->conn->prepare("UPDATE employee SET firstname = ? WHERE id = ?")) 
{ 
    $stmt->bind_param('si', $first_name, $e_id); 
    $stmt->execute(); 
    echo $stmt->affected_rows; 
} 

Schlusscode:

<?php 
    require 'functions/connection.php'; 
    $conn = new Connect(); 
    $e_id = $conn->conn->real_escape_string($_POST['e_id']); 
    $first_name = $conn->conn->real_escape_string($_POST['first_name']); 
    $last_name = $conn->conn->real_escape_string($_POST['last_name']); 
    $e_salary = $conn->conn->real_escape_string($_POST['e_salary']); 
    $e_startdate = $conn->conn->real_escape_string($_POST['e_startdate']); 
    $e_department = $conn->conn->real_escape_string($_POST['e_department']);   

    if($stmt = $conn->conn->prepare("UPDATE employee SET firstname = ? WHERE id = ?")) 
    { 
     $stmt->bind_param('si', $first_name, $e_id); 
     $stmt->execute(); 
     echo $stmt->affected_rows; 
    } 
    $conn->conn->close(); 
?> 

Answer 2

Ich schlage vor, es wäre sicherer und mit Prepared Statements machen. Dies ist ein Beispiel mysqli verwenden, aber ich ziehe es PDO:

<?php 
     require 'functions/connection.php'; 
     $conn = Connect(); 

     // Prepare the query 
     $myQuery = $conn->prepare("UPDATE employee SET firstname=? WHERE id=?"); 

     $e_id = $conn->real_escape_string($_POST['e_id']); 
     $first_name = $conn->real_escape_string($_POST['first_name']); 
     $last_name = $conn->real_escape_string($_POST['last_name']); 
     $e_salary = $conn->real_escape_string($_POST['e_salary']); 
     $e_startdate = $conn->real_escape_string($_POST['e_startdate']); 
     $e_department = $conn->real_escape_string($_POST['e_department']);   

     // Bind your variables to the placemarkers (string, integer) 
     $myQuery->bind_param('si', $first_name, $e_id); 

     if ($myQuery->execute() == false) { 
     echo 'Error updating record: ' . $mysqli->error; 
     } 
     else { 
     echo 'Record updated successfully'; 
     } 
     $myQuery->close(); 

    ?> 

Hinweis: Die ‚Säuberung‘ Du bist in der Mitte zu tun was ich noch habe, aber es ist nicht wirklich notwendig, mit vorbereiteten Anweisungen.