在phpi mysqli中执行减法准备语句是这样做的正确方法吗?

时间:2020-07-10 11:33:47

标签: php mysqli prepared-statement

在sql查询中准备语句的情况下,执行减法运算的正确方法吗?

$sql = "UPDATE users set credits = (credits-$price) WHERE username = ?";

基于$ price的值减去用户信用的代码

$price = $row0['price'];
    
    $sql = "UPDATE users set credits = (credits-$price) WHERE username = ?;";
        $stmt1 = mysqli_stmt_init($conn);
        if(!mysqli_stmt_prepare($stmt1, $sql)) {
                $db_err = array("error" => "Database");
                echo json_encode($db_err);
            } else {
                mysqli_stmt_bind_param($stmt1, "s", $_SESSION['username']);
                mysqli_stmt_execute($stmt1);

1 个答案:

答案 0 :(得分:0)

您需要为$price变量使用一个占位符,以正确使用准备好的语句。除非您能够将值与可能值的列表进行比较,否则串联值永远是不安全的。

$sql = "UPDATE users set credits = (credits - ?) WHERE username = ?;";

if(!mysqli_stmt_prepare($stmt1, $sql)) { 
    ... 
} else {
    mysqli_stmt_bind_param($stmt1, "ss", $price, $_SESSION['username']);
    mysqli_stmt_execute($stmt1);
}

请注意,最好将对象语法用于many reasons。这是您的操作方式:

if($stmt1 = $mysqli->prepare("UPDATE users set credits = (credits - ?) WHERE username = ?")) {
    
    $stmt1->bind_param("ss", $price, $_SESSION['username']);
    $stmt1->execute();

} else {

    //notice I use `$stmt1->error` to get the actual error
    $db_err = array("error" => $stmt1->error);
    echo json_encode($db_err);

}
相关问题
最新问题