0

虽然有大量 PDO 使用示例,但我无法成功地将 mysql_query 转换为 PDO 语句。

以下是有效但不安全的方法:

<?php
$db = mysql_connect("localhost","username","passphrase");
mysql_select_db("database",$db);
$cat= $_GET["cat"];
/* grab a row and print what we need */
$result = mysql_query("SELECT * FROM cat WHERE cat = '$cat' ",$db);
$myrow3 = mysql_fetch_row($result);
echo "$myrow3[2]";
/* here's an array */
echo '<div class="container">';
$q = mysql_query("SELECT * FROM name WHERE Field4 = '$cat'",$db);
while ($res = mysql_fetch_array($q)){
    echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';
}
echo '</div>';
?>

到目前为止,这是我尝试将 mysql_query* 转换为 PDO 语句的尝试,基于如何防止 PHP 中的 SQL 注入?. 目前该页面不显示,以及任何东西。任何见解将不胜感激!

<?php

$pdo = new PDO('mysql:host=localhost;dbname=database','username','password');
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$cat= $_GET["cat"];
/* let try grabbing one of those rows, do not think an array should be here? */
$stmt = $pdo->prepare('SELECT * FROM cat WHERE cat = :cat');
$stmt->bindParam(':cat', $cat);
$result = $stmt->fetch(PDO::FETCH_ASSOC);
echo $result[2];
/* Now we need an array similar to what we had before */
echo '<div class="container">';
$stmt = $pdo->prepare('SELECT * FROM name WHERE Field4 = :Field4');
while ($res = $stmt->execute(array(':cat' => $cat))) {
    echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';
}
echo '</div>';
?>
4

1 回答 1

3

首先,你这样做的方式并没有保护你。

PDO 语句应如下所示(来自手册):

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

因此,对于您的示例:

$stmt = $pdo->prepare('SELECT * FROM cat WHERE cat = :cat');
$stmt->bindParam(':cat', $cat);
$result = $stmt->fetch(PDO::FETCH_ASSOC);

或者你可以这样做:

$stmt = $pdo->prepare("SELECT * FROM cat where cat = ?");
if ($stmt->execute(array($cat)) {
  while ($row = $stmt->fetch()) {
    //print stuff or whatever
  }
}

最后,在你的最后一部分:

while $stmt->execute(array(':cat' => $cat));
echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';

看起来 $res 从来没有被设置过。它应该看起来像:

while ($res = $stmt->execute(array(':cat' => $cat)) {
    echo '<div class="item"><p><a href="bits.php?page=' . $res['Field2'] . 
         '&' . $res['Field6'] . '">' . $res['Field1'] . '</a></p></div>';
}
于 2013-05-17T19:39:50.710 回答