更新时间:2023-01-16 21:24:56
您在某些值后面有分号,也许您应该只传递整数,即 qoh
和 qbuys
.除此之外,您应该在整数值之前使用 mysql_real_escape_string() 和 (int) 以防止 SQL 注入,例如:
You have semicolons after some values maybe you should pass just the integer this are qoh
and qbuys
.
Apart of that you should use mysql_real_escape_string() and (int) before integer values to prevent SQL injection e.g.:
$int = (int)$_GET['price'];
$string = $_GET['val'];
mysql_real_escape_string($string);
另外,如果你想传递多个值,你必须为它们使用数组:
Also if you want to pass multiple values you have to use array for them:
HTML
<input type="hidden" name="ids[]" value="1">
<input type="hidden" name="ids[]" value="2">
<input type="hidden" name="ids[]" value="3">
PHP
$ids = $_GET['ids'];
foreach($ids as $id) {
$sql = 'UPDATE table SET field=? WHERE id='.(int)$id;
....
}