时间戳

首页 > 解决方案 > 从php插入数据库

php - 从php插入数据库

问题描述

我正在尝试从 PHP 将数据插入到我的 SQL Server 数据库中。我没有收到任何错误,但数据未应用于 db。我正在尝试使用相同的查询,但改造成普通的数据库查询并且它有效,所以我认为我的代码有问题:

$query1 = "
   INSERT INTO KPI(KPI_new_name, KPI_definition, KPI_tech_name) 
   VALUES('$KPI_new_name','$KPI_definition','$KPI_tech_name')
";

$query2 = "
   INSERT INTO ReportsKpiRel(Report_Id, KPI_Id) 
   select r.Report_Id, kpis.KPI_Id 
   from Reports r 
   inner join ReportsKpiRel RKR on r.Report_Id = RKR.Report_Id
   inner join KPI kpis on RKR.KPI_Id = kpis.KPI_Id
   where r.Report_Id = '".$repid."' and kpis.KPI_new_name = '".$KPI_new_name."'
";

$qresult = sqlsrv_query($conn, $query1); 
if ($qresult)
{
  $qresult2 = sqlsrv_query($conn, $query2); 
  if($qresult2)
  {
    echo "Success!";
  }
  else
    echo "Failed!";
}
else
echo "error!";

第一次查询顺利。二是不工作。你知道出了什么问题吗?

标签: phpsql-serversqlsrv

解决方案

原答案:

sqlsrv_query()您需要在每次调用后检查错误。但是,您的方法更重要的问题是您的代码对可能的 SQL 注入攻击是开放的。始终尝试使用参数化查询。如文档中所述,sqlsrv_query 函数非常适合一次性查询,并且应该是执行查询的默认选择,除非有特殊情况,并且sqlsrv_query 函数同时进行语句准备和语句执行,并且可以用于执行参数化查询

以下代码基于问题中的代码,是您问题的可能解决方案:

<?php
$query1 = "
    INSERT INTO KPI(KPI_new_name, KPI_definition, KPI_tech_name) 
    VALUES(?, ?, ?)
";

$query2 = "
    INSERT INTO ReportsKpiRel(Report_Id, KPI_Id) 
    select r.Report_Id, kpis.KPI_Id 
    from Reports r 
    inner join ReportsKpiRel RKR on r.Report_Id = RKR.Report_Id
    inner join KPI kpis on RKR.KPI_Id = kpis.KPI_Id
    where r.Report_Id = ? and kpis.KPI_new_name = ? 
";

$params1 = array($KPI_new_name, $KPI_definition, $KPI_tech_name);
$result1 = sqlsrv_query($conn, $query1, $params1);
if ($result1 === false) {
    echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
    exit;
}   

$params2 = array($repid, $KPI_new_name);
$result2 = sqlsrv_query($conn, $query2, $params2);
if ($result2 === false) {
    echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
    exit;
}

echo "Success!";    
?>

更新:

看来你有一个不同的问题。因此,如果要处理many-to-many关系并且KPI表有标识列,则需要使用以下方法获取生成的值SCOPE_IDENTITY()

<?php
// INSERT into KPI
$query1 = "
    SET NOCOUNT ON;
    INSERT INTO KPI(KPI_new_name, KPI_definition, KPI_tech_name) 
    VALUES(?, ?, ?);
    SELECT SCOPE_IDENTITY() AS KPI_Id
";
$params1 = array($KPI_new_name, $KPI_definition, $KPI_tech_name);
$result1 = sqlsrv_query($conn, $query1, $params1);
if ($result1 === false) {
    echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
    exit;
}
$row = sqlsrv_fetch_array($result1, SQLSRV_FETCH_ASSOC);
$kpiid = $row['KPI_Id'];

// INSERT into ReportsKpiRel
$query2 = "
    INSERT INTO ReportsKpiRel(Report_Id, KPI_Id) 
    VALUES (?, ?) 
";
$params2 = array($repid, $kpiid);
$result2 = sqlsrv_query($conn, $query2, $params2);
if ($result2 === false) {
    echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
    exit;
}   
?>

推荐阅读