使用php登錄mysql數據庫的用戶更新點

Question

我正在嘗試從我的android應用中獲取字符串用戶名，並使用該用戶名爲該特定用戶帳戶添加5個點。

Example: 
My database now: user_id name username password points 
        1  test test  test  0 

What I want:  user_id name username password points 
        1  test test  test  5 

這是我現在使用的PHP代碼，一定出事了吧：

<?php 
$con = mysqli_connect("localhost", "id177667_root", "***", "id177667_loginb"); 
$username = $_POST["username"]; 
$sql = "UPDATE user ". "SET points = points + 5 ". "WHERE username = $username" ; 
$response = mysqli_query($sql, $con); 
?> 

Answer 1

你眼花繚亂的參數mysqli_query。應該是mysqli_query($con, $sql);。也有一些其他的問題 - 這應該工作：

<?php 
    $con = mysqli_connect("localhost", "id177667_root", "***", "id177667_loginb"); 
    $username = mysqli_real_escape_string($con, $_POST["username"]); 
    $sql = "UPDATE user SET points = points + 5 WHERE username = '$username'" ; 
    $response = mysqli_query($con, $sql); 
?> 

至於有人提出，準備語句是要走的首選方式。所以你可以這樣做...現在測試它，它適用於我：

<?php 
    $points = 5; 

    // Connect to database (credentials should not be stored in code...) 
    $con = new mysqli("localhost", "id177667_root", "***", "id177667_loginb"); 

    // Check if connection succeeded 
    if ($con->connect_error) 
    die("Connection error: " . $con->connect_error); 

    // Prepare statement 
    if ($st = $con->prepare("UPDATE user SET points = points + ? WHERE username = ?")) { 

    // Bind parameters (i for integer value, s for string) 
    $st->bind_param("is", $points, $_POST["username"]); 

    // Execute statement 
    $st->execute(); 

    // Close statement 
    $st->close(); 
} else { 
    // Prepare failed: report error 
    die("Prepare failed: " . $con->error); 
} 

    // Close DB connection 
    $con->close(); 
?>