$befal = mysql_query("SELECT * FROM users WHERE username = $_GET[username]");
$rad = mysql_fetch_assoc($befal);
等于
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in C:\profile.php on line 4
I have a user called Admin in the field username and it still dont work. profile.php?user=Admin...
This works if I use the ID though:
$befal = mysql_query("SELECT * FROM users WHERE user_id = $_GET[id]");
$rad = mysql_fetch_assoc($befal);
可能是什么问题?
谢谢
最佳答案
呃...这是被黑客攻击的秘诀。我想给你介绍一下SQL injection以此为特征 very funny yet poignant cartoon .
试试这个。
$username = mysql_escape_string($_GET['username']);
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
关于PHP:使用字符串参数时 SQL 语句中的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/572731/