php - 数据未从 MySQL 数据库获取

Question

我试图从我的数据库中获取数据，但它没有给我任何输出。它只显示“所有费用”。我的代码如下:

<?php
        include 'preCode.php';
        include 'header.php';

        echo '<body><div class="standardLayout">';
        include 'systemMenu.php';
        echo '<h4>All Charges</h4>';

          $user = unserialize($_SESSION['user']);
          echo $query = "SELECT * FROM billingItems WHERE userID=' " . $user-> userID .  " ' ORDER BY deliveryTimestamp DESC"; 
          $result = mysqli_query($db, $query);
         while ($row = mysqli_fetch_array($result)) {

        echo  $row['type'] . '<br>' . 
                'Cost: $' . $row['amount'] . '<br>' . 
                ' Finalized: ' . $row['deliveryTimestamp']  ;

}
        echo '</div></body></html>';

        $_SESSION['user'] = serialize($user);
        include 'footer.html';
?>

这是 echo $query; 的输出:

All Charges object(user)#2 (11) { ["orders"]=> NULL ["fName"]=> string(6) "kimmie" ["lName"]=> string(4) "kaur" ["address"]=> string(10) "6768bbnmmn" ["phone"]=> string(11) "66767798898" ["email"]=> string(6) "kimmie" ["userID"]=> string(3) "108" ["password"]=> string(4) "kaur" ["passwordX"]=> NULL ["amountOwed"]=> string(1) "0" ["zip"]=> string(6) "768798" } SELECT * FROM billingItems WHERE userID=' 108 ' ORDER BY deliveryTimestamp DESC

Answer 1

在我看来，你的查询构建是一个问题，因为这个

$query = "SELECT * FROM billingItems WHERE userID=' " . $user-> userID .  " ' ORDER BY deliveryTimestamp DESC";

如果 ID 是“bob”，则会为您提供此信息。

SELECT * FROM billingItems WHERE userID=' bob ' ORDER BY deliveryTimestamp DESC

您在 ID 周围嵌入了空格，这与列的内容不匹配。

更安全的方法是使用准备好的语句并绑定(bind)参数，这样您就不会遇到此类错误。它还可以保护您免受 SQL 注入(inject)的侵害。有关详细信息，请参阅此问题:How can I prevent SQL-injection in PHP?