在 sql 查询中准备语句的情况下,这是执行减法运算的正确方法吗?
$sql = "UPDATE users set credits = (credits-$price) WHERE username = ?";
根据 $price 的值减去用户积分的代码
$price = $row0['price'];
$sql = "UPDATE users set credits = (credits-$price) WHERE username = ?;";
$stmt1 = mysqli_stmt_init($conn);
if(!mysqli_stmt_prepare($stmt1, $sql)) {
$db_err = array("error" => "Database");
echo json_encode($db_err);
} else {
mysqli_stmt_bind_param($stmt1, "s", $_SESSION['username']);
mysqli_stmt_execute($stmt1);
您需要使用占位符$price
变量以正确使用准备好的语句。连接值是never除非您能够将该值与可能值列表进行比较,否则是安全的。
$sql = "UPDATE users set credits = (credits - ?) WHERE username = ?;";
mysqli_stmt_prepare($stmt1, $sql);
mysqli_stmt_bind_param($stmt1, "ss", $price, $_SESSION['username']);
mysqli_stmt_execute($stmt1);
请注意,最好使用对象语法很多原因 https://phpdelusions.net/mysqli/mysqli_connect#procedural。这样做的方法如下:
$stmt1 = $mysqli->prepare("UPDATE users set credits = (credits - ?) WHERE username = ?");
$stmt1->bind_param("ss", $price, $_SESSION['username']);
$stmt1->execute();
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)