$insertQuery = "INSERT INTO appointment
(appointmentID
, doctorid
, appointmentDate
, symptoms
, patientid
, time
)
SELECT '" . $id . "'
, n.doctorid
, '" . $date . "'
, '". $symptoms ."'
, p.patientid
FROM (SELECT e.doctorid
FROM doctors e
WHERE e.doctorName LIKE '" . $docName . "'
LIMIT 1
) d
CROSS
JOIN (SELECT q.patientid
FROM patient q
WHERE q.patientName LIKE '" . $nameOfUser ."'
LIMIT 1
) p ";
這種說法是主題到SQL注入。爲了緩解這種情況,您需要轉義包含在SQL文本中的「不安全」值,或者使用帶有綁定佔位符的準備好的語句。
假設你正在使用的mysqli接口的程序風格的功能,連接被命名爲$con
$insertQuery = "INSERT INTO appointment
(appointmentID
, doctorid
, appointmentDate
, symptoms
, patientid
, time
)
SELECT '" . mysqli_real_escape_string($con, $id) . "'
, n.doctorid
, '" . mysqli_real_escape_string($con, $date) . "'
, '" . mysqli_real_escape_string($con, $symptoms) ."'
, p.patientid
FROM (SELECT e.doctorid
FROM doctors e
WHERE e.doctorName LIKE '" . mysqli_real_escape_string($con, $docName) . "'
LIMIT 1
) d
CROSS
JOIN (SELECT q.patientid
FROM patient q
WHERE q.patientName LIKE '" . mysqli_real_escape_string($con, $nameOfUser) ."'
LIMIT 1
) p ";
已準備語句會使用綁定的佔位符代替文字:
$insertQuery = "INSERT INTO appointment
(appointmentID
, doctorid
, appointmentDate
, symptoms
, patientid
, time
)
SELECT ?
, n.doctorid
, ?
, ?
, p.patientid
FROM (SELECT e.doctorid
FROM doctors e
WHERE e.doctorName LIKE ?
LIMIT 1
) d
CROSS
JOIN (SELECT q.patientid
FROM patient q
WHERE q.patientName LIKE ?
LIMIT 1
) p ";
你定義'預約ID'與PRIMARY_KEY和AUTO_INCREMENT?如果是的話,你可以刪除'約會ID'字段或設置爲'空' – 2014-09-30 01:20:43
仍然沒有成功。 – Gokigooooks 2014-09-30 01:45:17