更新时间:2023-11-28 23:34:04
您的字符串连接混乱了,它应该是:(进一步简化)
You string concatenation is messed up, it should be: (further simplified)
$selDoc="SELECT * FROM documents WHERE 'U".$_SESSION['userId']."' IN (senderID,receiver_id) ORDER BY id DESC";
当上面的语句被解析后,它将看起来像这样:
when the statement above is parsed, it will then look like this:
SELECT *
FROM documents
WHERE 'UXX' IN (senderID,receiver_id) // where XX is the userID
ORDER BY id DESC
作为附带说明,如果值( s)是 SQL Injection
,则该查询容易受到攻击)的变量来自外部.请查看下面的文章,以了解如何防止它.通过使用PreparedStatements
,您可以避免在值周围使用单引号.
As a sidenote, the query is vulnerable with SQL Injection
if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements
you can get rid of using single quotes around values.