PHP在变量中使用mysql发布变量

Question

我需要使用区号作为变量的尾部。例如$publish_page_加区号 我抓住从我的URL $district_num我已经与echo

在此间证实是什么，我已经试过

$district_num = $_REQUEST['district_num']; // from url and works 

$publish_page_.''.$district_num = $district_var['publish_page_'.$district_num.'']; //this does not work 

$publish_page_.''.$district_num = addslashes($_POST['publish_page_'.$district_num.'']); //this does not work 

$sql = "UPDATE districts SET 
     publish_page_$district_num = '$publish_page_$district_num' //this does not work and throws error "can not find publish_page_ in field list 

     WHERE district_num ='$district_num'"; //this works when the above code is removed 

校正码跟进......谢谢如果你想了解PHP's variable variables您@cale_b和@Bill Karwin

 $district_num = (int) $_REQUEST['district_num']; 
    $$publish_page = "publish_page_{$district_num}"; 

    $$publish_page = $district_var[ "publish_page_{$district_num}"]; 

if (isset($_POST['submitok'])): 
    $$publish_page = addslashes($_POST[$publish_page]); 


    $sql = "UPDATE districts SET 
      publish_page_{$district_num} = '$publish_page' 

     WHERE district_num ='$district_num'"; 

Answer 1

，它的手册中（我链接到它）。但你实际上并不需要你的情况。

注意SQL注入。你的代码容易受到攻击。

由于您使用输入形成SQL列名，因此无法使用SQL查询参数来解决该问题。但是您可以将输入转换为整数，这样可以防止SQL注入。

$district_num = (int) $_REQUEST['district_num']; 

$publish_page_col = "publish_page_{$district_num}"; 

以上是安全的，因为(int)铸造确保num变量是只有数字。它不可能包含任何可能导致SQL注入漏洞的字符，如'或\。

对于其他动态值，请使用查询参数。

$publish_page_value = $_REQUEST["publish_page_4{$district_num}"]; 

$sql = "UPDATE districts SET 
     `$publish_page_col` = ? 
     WHERE district_num = ?"; 
$stmt = $pdo->prepare($sql); 
$stmt->execute([ $publish_page_value, $district_num ]); 

由于@cale_b注释如下，您应该明白，在PHP中，变量可以在双引号字符串内展开。有关详情，请参阅http://php.net/manual/en/language.types.string.php#language.types.string.parsing。