使用mysql中的变量更新在php中的更新查询

Question

<?php 
    require 'functions/connection.php'; 
    $conn = Connect(); 
    $e_id = $conn->real_escape_string($_POST['e_id']); 
    $first_name = $conn->real_escape_string($_POST['first_name']); 
    $last_name = $conn->real_escape_string($_POST['last_name']); 
    $e_salary = $conn->real_escape_string($_POST['e_salary']); 
    $e_startdate = $conn->real_escape_string($_POST['e_startdate']); 
    $e_department = $conn->real_escape_string($_POST['e_department']);   
    $sql = "UPDATE employee SET firstname='$first_name' WHERE id=$e_id"; 
    if (mysqli_query($conn, $sql)) { 
     echo "Record updated successfully"; 
    } else { 
     echo "Error updating record: " . mysqli_error($conn); 
    } 
    mysqli_close($conn); 
?> 

我想在更新查询中使用first_name变量。

我试着回显变量和它的工作... 这是我使用的连接代码。

<?php 


function Connect() 
{ 
$dbhost = "localhost"; 
$dbuser = "root"; 
$dbpass = ""; 
$dbname = "company"; 

// Create connection 
$conn = new mysqli($dbhost, $dbuser, $dbpass, $dbname) or die($conn->connect_error); 

return $conn; 
} 

?> 

如果是Ⅱ与数据库中得到更新

Answer 1

functions/connection.php（现在的对象）之间的 “” 任何替换变量：

<?php 
class Connect 
{ 
private $dbhost = "localhost"; 
private $dbuser = "root"; 
private $dbpass = ""; 
private $dbname = "company"; 

public $conn; 

public function __construct() 
{ 
    if($this->conn = new mysqli($this->dbhost, $this->dbuser, $this->dbpass, $this->dbname)) 
    { 
     //connection established 
     //do whatever you want here 
    } 
    else 
    { 
     //Error occurred 
     die($this->conn->error); 
    } 
} 

//other functions here 

} 

?> 

更改mysqli_query到：$conn->conn->query($sql);

准备声明： Avoid SQLI injection

if($stmt = $conn->conn->prepare("UPDATE employee SET firstname = ? WHERE id = ?")) 
{ 
    $stmt->bind_param('si', $first_name, $e_id); 
    $stmt->execute(); 
    echo $stmt->affected_rows; 
} 

最终代码：

<?php 
    require 'functions/connection.php'; 
    $conn = new Connect(); 
    $e_id = $conn->conn->real_escape_string($_POST['e_id']); 
    $first_name = $conn->conn->real_escape_string($_POST['first_name']); 
    $last_name = $conn->conn->real_escape_string($_POST['last_name']); 
    $e_salary = $conn->conn->real_escape_string($_POST['e_salary']); 
    $e_startdate = $conn->conn->real_escape_string($_POST['e_startdate']); 
    $e_department = $conn->conn->real_escape_string($_POST['e_department']);   

    if($stmt = $conn->conn->prepare("UPDATE employee SET firstname = ? WHERE id = ?")) 
    { 
     $stmt->bind_param('si', $first_name, $e_id); 
     $stmt->execute(); 
     echo $stmt->affected_rows; 
    } 
    $conn->conn->close(); 
?> 

Answer 2

我建议使之更安全，使用预处理语句。这是使用mysqli的一个例子，但我更喜欢PDO：

<?php 
     require 'functions/connection.php'; 
     $conn = Connect(); 

     // Prepare the query 
     $myQuery = $conn->prepare("UPDATE employee SET firstname=? WHERE id=?"); 

     $e_id = $conn->real_escape_string($_POST['e_id']); 
     $first_name = $conn->real_escape_string($_POST['first_name']); 
     $last_name = $conn->real_escape_string($_POST['last_name']); 
     $e_salary = $conn->real_escape_string($_POST['e_salary']); 
     $e_startdate = $conn->real_escape_string($_POST['e_startdate']); 
     $e_department = $conn->real_escape_string($_POST['e_department']);   

     // Bind your variables to the placemarkers (string, integer) 
     $myQuery->bind_param('si', $first_name, $e_id); 

     if ($myQuery->execute() == false) { 
     echo 'Error updating record: ' . $mysqli->error; 
     } 
     else { 
     echo 'Record updated successfully'; 
     } 
     $myQuery->close(); 

    ?> 

注：“清洗”你做的我已经离开了中间，但它是不是真的有必要用准备好的语句。