我有以下代码
if(isset($_POST['submit']) || isset($_POST['mon']) || isset($_POST['yer']) ||
isset($_POST['acty'])) {
$mon = $_POST['mon'];
$yer = $_POST['yer'];
$acty = $_POST['acty'];
}
$str = "SELECT pty, SUM(`PW`) as Total
FROM heal
WHERE mon='$mon'
AND yer='$yer'
GROUP BY pty";
我怎么能把变量$acty传递到这个:SUM('PW') ....那就是SUM('$acty')
正如你所说。
$str = "
SELECT
pty,
SUM($acty) as Total
FROM
heal
WHERE
mon='$mon' AND
yer='$yer'
GROUP BY
pty";
你可以在双引号内有变量,php会给你它的内容。
附注:您的代码是针对SQL注入打开的,您必须使用SQL注入来防止您的代码。一些有用的链接:
How can I prevent SQL injection in PHP?
Are PDO prepared statements sufficient to prevent SQL injection?