PHP将数据库中的int与POST [int]进行比较[关闭]

Question

以下代码有问题：

if(isset($_POST['submit'])){

$name = $_POST['productname'];
$sql= "SELECT quantity FROM products WHERE productid='$name'";
$amount= $sql + 0;
$quantitysold = $_POST['quantitysold']; 
$amountsold = $quantitysold + 0;
var_dump($amountsold);
var_dump($amount);

if($amountsold > $amount){
    echo 'Not enough product';}

else if($name && $quantitysold){
    $query = $db->query("UPDATE products SET quantity=quantity-$quantitysold
    WHERE productid='$name'");
    $query = $db->query("DELETE FROM products WHERE quantity<'1'");} 

else{
    echo 'Incomplete Data';}

}

问题是 sql 被读取为字符串，而不是我希望将其重定向到的整数。这意味着我无法比较 $amount 和 $quantitysold。

我最近开始学习 PHP，所以这可能是一个新手错误。

Answer 1

使用来自 php 函数的过滤器输入

   if(isset($_POST['submit'])){

$name = filter_input(INPUT_POST, "productname",FILTER_SANITIZE_NUMBER_INT);
$sql= "SELECT quantity FROM products WHERE productid=$name";
$amount= $sql + 0;
$quantitysold = $_POST['quantitysold']; 
$amountsold = $quantitysold + 0;
var_dump($amountsold);
var_dump($amount);

if($amountsold > $amount){
    echo 'Not enough product';}

else if($name && $quantitysold){
    $query = $db->query("UPDATE products SET quantity=quantity-$quantitysold
    WHERE productid=$name");
    $query = $db->query("DELETE FROM products WHERE quantity<'1'");} 

else{
    echo 'Incomplete Data';}

}

Answer 2

代码的第一部分没有将 sql 查询字符串传递给 sql 引擎。以下是如果您使用 PDO (Php Data Objects) 会如何完成

if(isset($_POST['submit'])){

    $db = new PDO("mysql:host=localhost;dbname=yourdatabasename","yourusername","yourpassword");
    $name = $_POST['productname'];
    $sql= "SELECT quantity FROM products WHERE productid=?";
    $statement = $db->prepare($sql);
    $statement->execute(array($name));
    $row = $statement->fetch(PDO::FETCH_NUM);
    $amount= $row[0];

// the rest of your code