cannot form correct string
i have folllowing code to create sql query
$sql= '(SELECT ticket_id,message,created,2 from '.TICKET_MESSAGE_TABLE.' msg where msg.ticket_id ='.db_input($id).' ) UNION (SELECT ticket_id,response,created,1 from '.TICKET_RESPONSE_TABLE.' resp where resp.ticket_id= '.db_input($id).' )UNION (SELECT ticket_id,note,created,3 FROM '.TICKET_NOTE-TABLE .' note WHERE note.tic开发者_如何学运维ket_id='.db_input($id).' ) order by created';
echo "sql: ".$sql;
when i run this i get
sql: 0 note WHERE note.ticket_id=2 ) order by created
can anyone pls explain where the 0 is coming from and why the string is not formed correctly.
Thanks
TICKET_NOTE-TABLE
This would be easier to spot if you had wrapped your input in some sane fashion :)
$sql= '(SELECT ticket_id,message,created,2 from '.TICKET_MESSAGE_TABLE.
' msg where msg.ticket_id ='.db_input($id).
' ) UNION (SELECT ticket_id,response,created,1 from '.TICKET_RESPONSE_TABLE.
' resp where resp.ticket_id= '.db_input($id).
' )UNION (SELECT ticket_id,note,created,3 FROM '.TICKET_NOTE-TABLE .
' note WHERE note.ticket_id='.db_input($id).
' ) order by created';
echo "sql: ".$sql;
Furthermore, I hope that db_input()
function is there to prevent SQL Injection attacks. And I hope it's well-implemented. (I think using prepared statements is easier and more legible.)
精彩评论