英文:
String variable in SQL query within WordPress getting an error when not using single quotes
问题
这段代码位于自定义的WordPress插件中。
if (isset($_POST['send_user'])) {
$username = sanitize_text_field( $_POST['username'] );
global $wpdb;
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = $username");
}
这段代码不正常工作,会出现错误消息,并将NULL值赋给$customer_id。
当我手动更改代码为:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = 'username'");
这段代码可以完美运行,并提供我正在寻找的user_id。为什么?我漏掉了什么?
英文:
This code is in a custom WordPress plugin.
if (isset($_POST['send_user'])) {
$username = sanitize_text_field( $_POST['username'] );
global $wpdb;
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = $username");
This code does not work properly and it gets an error message with provides a NULL value within $customer_id.
When I manually change the code to:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = 'username'");
This works perfectly and provides the user_id I am looking for. Why? What am I missing here?
答案1
得分: 1
你需要使用占位符来传递数据给查询,而不是直接将变量注入查询字符串中。
你的查询应该像这样:
$customer_id = $wpdb->get_var(
$wpdb->prepare(
"SELECT user_id FROM wp_wc_customer_lookup WHERE username = %s",
$username
)
);
最佳实践还是从类属性中提取数据库前缀:
$customer_id = $wpdb->get_var(
$wpdb->prepare(
"SELECT user_id FROM {$wpdb->prefix}wc_customer_lookup WHERE username = %s",
$username
)
);
英文:
You need to use placeholders for passing data to the query, instead of directly injecting variables in the query string.
Your query should look like this:
$customer_id = $wpdb->get_var(
$wpdb->prepare(
"SELECT user_id FROM wp_wc_customer_lookup WHERE username = %s",
$username
)
);
It's also best practice to pull the database prefix from class properties:
$customer_id = $wpdb->get_var(
$wpdb->prepare(
"SELECT user_id FROM {$wpdb->prefix}wc_customer_lookup WHERE username = %s",
$username
)
);
答案2
得分: 0
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = $username");
因为将字符串变量 $username 添加到这行代码中后,它看起来像这样:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = username");
这会导致问题,因为 WHERE 子句正在寻找字符串格式,例如 "username"。为了使这在 SQL 语句中起作用,你不能将 "username" 添加到 SQL 中,因为它会破坏它 - 一旦运行,它将变成这样:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = "$username"");
第一个双引号退出了 SQL 语句,$username 永远不会被添加。为了使这工作,你必须在字符串变量周围加上单引号 - 就像这样:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = '$username'");
这满足了所需的参数。
许多人会感到困惑(这也发生在我身上),因为这段代码可以工作:
if (isset($_POST['send_user'])) {
$username = sanitize_text_field( $_POST['username'] );
$tablename = $wpdb->prefix."wc_customer_lookup";
global $wpdb;
$customer_id = $wpdb->get_var("SELECT user_id FROM $tablename WHERE username = 'username'");
以及在使用整数变量时它也可以工作。就像这样:
if (isset($_POST['send_user'])) {
$username = sanitize_text_field( $_POST['username'] );
$tablename = $wpdb->prefix."wc_customer_lookup";
$number = 5;
global $wpdb;
$customer_id = $wpdb->get_var("SELECT user_id FROM $tablename WHERE int = $number");
因此,不考虑的话,你可能会得出结论,使用字符串变量也会起作用。事实并非如此,这是因为 SQL 参数中的字符串必须包括引号。
当使用类似以下的内容:
$wpdb->prepare(
"SELECT user_id FROM $tablename WHERE username = %s",
$username
这将正常工作,因为 prepare 类会将单引号添加到 SQL 语句中,因此你不必担心它。
英文:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = $username");
does not work because the string variable $username once added into this line of code will look like this:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = username");
This breaks because the WHERE clause is looking for a string format such as "username". In order to make this work within the SQL statement, you cannot add "username" into the SQL because it will break it - once its runs it will look like this:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = "$username"");
The first double quote exits the SQL statement and the $username is never added. In order to make this work you have to put single quotes around the string variable - like this:
$customer_id = $wpdb->get_var("SELECT user_id FROM wp_wc_customer_lookup WHERE username = '$username'");
This satisfies the parameters needed.
Many get confused (which happened to me) because this code works:
if (isset($_POST['send_user'])) {
$username = sanitize_text_field( $_POST['username'] );
$tablename = $wpdb->prefix."wc_customer_lookup";
global $wpdb;
$customer_id = $wpdb->get_var("SELECT user_id FROM $tablename WHERE username = 'username'");
and when using an int variable - it works as well. Like this:
if (isset($_POST['send_user'])) {
$username = sanitize_text_field( $_POST['username'] );
$tablename = $wpdb->prefix."wc_customer_lookup";
$number = 5;
global $wpdb;
$customer_id = $wpdb->get_var("SELECT user_id FROM $tablename WHERE int = $number");
So without thinking about it, you may conclude that using a string variable would work as well. Not the case, and it's because the string in the SQL argument must include quotes.
When using something like:
$wpdb->prepare(
"SELECT user_id FROM $tablename WHERE username = %s",
$username
this will work just fine because the prepare class adds the single quotes to the SQL statement so you don't have to worry about it.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论