Question

我正在组合其他人编写的2段代码。该页面显示mySql数据库中的记录，我正在尝试使用的变量已使用以下代码显示：

<span class="headLeft"><?php echo cleanData($this->RECIPE->name); ?>:</span>

sql select语句正在尝试使用name字段进行查找。

SELECT 
  name
  , Round(Sum(i.calories)/1500*100,2) as calories
  , Round(Sum(protein)/525*100,2) as protein
  , Round(Sum(fat)/300*100,2) as fat
  , Round(sum(carbohydrate)/675*100,2) as carbohydrate
  , Round(sum(fiber)/30*100,2) as fiber
  , Round(sum(sugar)/375*100,2) as sugar
  , Round(sum(saturated_fat)/150*100,2) as saturated_fat
  , Round(sum(monounsaturated_fat)/150*2,2) as monsaturated_fat
  , Round(sum(Polyunsaturated_Fat)/150*2,2) as polyunsaturated_fat
  , Round(sum(cholesterol)/200*100,2) as cholesterol
  , Round(sum(sodium)/1300*100,2) as sodium
  FROM `mr_recipes` r 
  left join ingredients i on r.id = i.recipeid

   where name = ($this->RECIPE->name)
group by name

我无法让变量发挥作用。我不能使用$ name，我尝试用单引号和双引号包装它。

Answer 1

看看准备好的陈述。要防止SQL注入，请不要连接SQL查询和参数。

你应该使用PDO它更安全。

这是一个类似的issue。

试图在sql select语句中使用php变量

1 个答案: