SQL sözdizimi: SQL sorgusuna değişken geçirmeden

0 Cevap php

Bu benim ilk program ve ben bu soruyu cevaplamak için çalışıyoruz kapsamlı bir araştırma yaptık ve ben sorunu çözemez:

<?php

    include "connect.php";

    if (!$connection)
      {
      die('Could not connect: ' . mysql_error());
      }

    $submit = $_POST["submit"];

    if ($submit=="Submit") {
      $date = $_POST["date"];
      $name = $_POST["name"];
      $activity = $_POST["activity"];
      $activity_level = $_POST["activity_level"];

    $find_role = ("SELECT sales_role 
                     FROM role 
                LEFT JOIN USER on user.role_id = role.id 
                    WHERE user.user = '$name'");
    $find_activity_points = ("SELECT $activity_$role 
                                FROM $activity 
                               WHERE activity_level = '$activity_level'"); 

    $role = mysql_query($find_role);

    $activity_points = mysql_query($find_activity_points);
     if ($activity_points !== false) {
     }
      else {
       echo mysql_error ();
       die;
     }

     $convert_activity_points = array();

    while ($row = mysql_fetch_array($activity_points, MYSQL_ASSOC)) {
      $convert_activity_points[] = $row;
     }



    $set_points = "UPDATE $name SET $activity='$convert_activity_points' WHERE day='$date'";
     mysql_query($set_points);


    } 

    mysql_close($connection);

    ?>

And this is the error message that I get when I submit form.php to update.php: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM dial WHERE activity_level='70'' at line 1

P.S. SQL enjeksiyon açıkları var biliyorum, ama ben bu programı kullanarak tek kişi benim ve benim bilgisayarda yerel olarak kullanıyorum. Ben şimdi açıklarıyla iyiyim.

Edit: kodunu değiştirdi (ben gerçekten geribildirim takdir)

$find_role = "SELECT sales_role FROM role LEFT JOIN USER on user.role_id=role.id WHERE user.user='$name'";

$find_activity_points = "SELECT %s_%s FROM $activity WHERE activity_level='%d'";    

list($role) = mysql_fetch_array(mysql_query($find_role));

 $activity_points = mysql_query(
     sprintf($find_activity_points, //the main string
         $activity, $role, $activity, $activity_level) //the "arguments"
  );    

    if ($activity_points !== false) {
    }
        else {
            echo mysql_error ();
            die;
    }

Updates the table with 0 and doesn't display an error msg. Re SQL injection vulnerabilities, see my original PS statement

0 Cevap

etiketler