开发者

cannot form correct string

i have folllowing code to create sql query

$sql= '(SELECT ticket_id,message,created,2 from '.TICKET_MESSAGE_TABLE.' msg where msg.ticket_id ='.db_input($id).' ) UNION (SELECT ticket_id,response,created,1 from '.TICKET_RESPONSE_TABLE.' resp where resp.ticket_id= '.db_input($id).' )UNION (SELECT ticket_id,note,created,3 FROM '.TICKET_NOTE-TABLE .' note WHERE note.tic开发者_如何学运维ket_id='.db_input($id).' ) order by created';

echo "sql:  ".$sql;

when i run this i get

sql: 0 note WHERE note.ticket_id=2 ) order by created

can anyone pls explain where the 0 is coming from and why the string is not formed correctly.

Thanks


TICKET_NOTE-TABLE

This would be easier to spot if you had wrapped your input in some sane fashion :)

$sql= '(SELECT ticket_id,message,created,2 from '.TICKET_MESSAGE_TABLE.
      ' msg where msg.ticket_id ='.db_input($id).
      ' ) UNION (SELECT ticket_id,response,created,1 from '.TICKET_RESPONSE_TABLE.
      ' resp where resp.ticket_id= '.db_input($id).
      ' )UNION (SELECT ticket_id,note,created,3 FROM '.TICKET_NOTE-TABLE .
      ' note WHERE note.ticket_id='.db_input($id).
      ' ) order by created';

echo "sql:  ".$sql;

Furthermore, I hope that db_input() function is there to prevent SQL Injection attacks. And I hope it's well-implemented. (I think using prepared statements is easier and more legible.)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜