一些需要修复的问题.首先，当您应该使用mysqli或PDO时，您正在使用mysql.其次，您正在使用发布数据而没有任何转义.第三，您不需要此选择和更新.您可以在一个语句中完成它.

A few things that need to be fixed. first you are using mysql when you should be using mysqli or PDO. Second you are using post data without any escaping at all. Thirdly, you don't need this select and update. You can do it in a single statement.

$query = "UPDATE tinyblog SET views = views + 1 WHERE id = (SELECT id FROM tinyblog where id=:article)"
$db = new PDO('mysql:host=localhost;dbname=mydb', 'username', 'password');
$stmt = $db->prepare($query);
$stmt->execute(array(":article"=>$article_id));

我们在这里所做的是使用一个占位符创建一个准备好的语句.我们已将其命名为:article，但可以将其保留为?.

What we are doing here is creating a prepared statement with one place holder. We have named it as :article but it could have been left as ? instead.

然后，在执行查询时，您需要通过传入参数来填充丢失的位.这就是我们在array(":article"=>$article_id)

Then when the query is executed you need to fill in the missing bits by passing in parameters. That's what we are doing in the last step with array(":article"=>$article_id)

由于它是一个命名参数，因此我们使用关联数组.另外，如果您先调用 bindParam ，则可以不带任何参数地调用execute.

Since it's a named parameter, we use an associative array. Alternatively you could have called execute without any parameters if you had called bindParam first.