1. 首页
  2. 问答
  3. 返回NULL THST执行查询

返回NULL THST执行查询

2017-08-08 94 views
-4

我的问题是我的函数返回空值,并且不执行我的查询返回NULL THST执行查询

function getUsers($username,$fields = '*') 
{ 
    $db_host = "localhost"; 
    $db_user = "root"; 
    $db_pass = ""; 
    $db_name = 'filemanagerusers'; 
    $connection = new mysqli($db_host,$db_user,$db_pass,$db_name); 
    //////////////////////////////////////////////////////////////// 
    $query = "select $fields from users where username=".$username; 
    $result = $connection->query($query); 
    $customers = mysqli_fetch_assoc($result);//etelaate user dar ghalebe yek array be ma barmigarde 
    return $customers; 
}

来源

2017-08-08 sinak

+1

你确定你的'用户名是一个整数?如果未包含在引号内 – Thamilan

+0

开始检查失败查询时的错误。 – deceze

+0

你有什么错误吗? –

回答

2

快速不安全修复你(但不最好由于SQL注入): -

$query = "select $fields from users where username= '$username'";

注意: - 用引号括起$username使其成为字符串。

的首选方法: -

始终使用prepared statementsmysqli_*防止SQL Injection象下面这样: -

function getUsers($username,$fields = '*') 
{ 
    $db_host = "localhost"; 
    $db_user = "root"; 
    $db_pass = ""; 
    $db_name = 'filemanagerusers'; 
    $connection = mysqli_connect(($db_host,$db_user,$db_pass,$db_name); 
    /* check connection */ 
    if (mysqli_connect_errno()) { 
     printf("Connect failed: %s\n", mysqli_connect_error()); 
     exit(); 
    } 
    if ($stmt = mysqli_prepare($connection, "SELECT $fields FROM users where username=?")) { 

     /* bind parameters for markers */ 
     mysqli_stmt_bind_param($stmt, "s", $username); 

     /* execute query */ 
     mysqli_stmt_execute($stmt); 

     /* bind result variables */ 
     mysqli_stmt_bind_result($stmt, $customers); 


     /* close statement */ 
     mysqli_stmt_close($stmt); 

     /* return result*/ 

     return $customers; 
    } 
}

来源

2017-08-08 13:12:54

+2

第二个剪辑应该是唯一提供的解决方案。另外,必须确保'$ fields'不是用户控制的。 – 2017-08-08 13:29:31

相关问题

 相关问题