1

就开发而言,我对 php 和 MySQL 还是很陌生。我很想得到一些建议,以确保我做的一切都是正确的。我有一页我相信以正确的方式转换,还有一页我需要转换。

这是我设置的那个是正确的吗?

<?php $title = 'SEARCH'; $page = '';include 'includes/header.php';?>

<body>

<?php include 'includes/nav.php'; ?>

<?php
$q = $_GET['q'];

// CONNECT TO THE DATABASE
$DB_NAME = 'code_storage';
$DB_HOST = 'localhost';
$DB_USER = 'user';
$DB_PASS = 'pass';

try {
    $dbcon = new PDO("mysql:host=$DB_HOST;dbname=$DB_NAME", $DB_USER, $DB_PASS);
    //echo 'Connected to database';

    $sql = <<<SQL
    SELECT * 
    FROM snippets
    WHERE CODE_NAME LIKE '%$q%' OR
    CODE_DESC LIKE '%$q%' OR
    CODE_TAGS LIKE '%$q%' OR
    CODE_USAGE LIKE '%$q%'
 SQL;
    echo '<div class="row">';
    echo    '<div class="panel">';
        printf("Your search for <b>$q</b> returned %d records.\n", $dbcon->query($sql)->rowCount());
    echo    '</div>';
    echo '</div>';

    foreach ($dbcon->query($sql) as $row) {
        //print $row['CODE_NAME'] . '<br/>' . "\n";
        echo '   <div class="row">' . "\n";
        echo '       <div class="large-12 columns">' . "\n";
        echo '              <b><a href="results.php?id=' . $row['_ID'] . '">' . $row['CODE_NAME'] . '</a></b><br/><br/>' . "\n";
        echo '       </div>' . "\n";
        echo '   </div>' . '<br/><br/>' . "\n";
    }


    $dbcon = null;
}
catch(PDOException $e)
{
    echo $e->getMessage();
}
 ?>
<?php include 'includes/footer.php';?>

这是我仍然需要转换的一个,这是我真正可以使用一些帮助的

<?php

// CONNECT TO THE DATABASE
$DB_NAME = 'code_storage';
$DB_HOST = 'localhost';
$DB_USER = 'user';
$DB_PASS = 'pass';


$mysqli = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);

if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

// Fix for the ' and " 

$_POST['name'] = $mysqli->real_escape_string($_POST['name']);
$_POST['desc'] = $mysqli->real_escape_string($_POST['desc']);
$_POST['usage'] = $mysqli->real_escape_string($_POST['usage']);
$_POST['code'] = $mysqli->real_escape_string($_POST['code']);
$_POST['tags'] = $mysqli->real_escape_string($_POST['tags']);

$sql = <<<SQL
    INSERT 
    INTO snippets
    (CODE_NAME,CODE_DESC,CODE_USAGE,CODE_SYNTAX,CODE_TAGS)
    VALUES
    ('$_POST[name]', '$_POST[desc]', '$_POST[usage]', '$_POST[code]', '$_POST[tags]');
SQL;

if(!$result = $mysqli->query($sql)){
    echo '<br/><br/><br/><br/>' . "\n";
    echo '<div class="row">' . "\n";
    echo '  <div class="large-12 columns">' . "\n"; 
    echo '      <div data-alert class="alert-box alert">' . "\n";
    echo '          There was an error' . "\n";
    echo '          <a href="../site/upload.php" class="close">&times;</a>' . "\n";
    echo '      </div>' . "\n";
    echo '  </div>' . "\n";
    echo '</div>' . "\n";
    echo '<br/><br/><br/><br/>' . "\n";
    echo '<div class="row">' . "\n";
    echo '  <div class="large-12 columns">' . "\n";
    die('There was an error with the code [' . $mysqli->error . ']');
    echo '  </div>' . "\n";
    echo '</div>' . "\n";

}
    echo '<br/><br/><br/><br/>' . "\n";
    echo '<div class="row">' . "\n";
    echo '  <div class="large-12 columns">' . "\n"; 
    echo '      <div data-alert class="alert-box success">' . "\n";
    echo '          Code Successfully Added' . "\n";
    echo '          <a href="../site/" class="close">&times;</a>' . "\n";
    echo '      </div>' . "\n";
    echo '  </div>' . "\n";
    echo '</div>' . "\n";
    echo '<br/><br/><br/><br/>' . "\n";
*/

?>

*编辑* 这是我到目前为止所拥有的,但它似乎没有返回任何记录任何想法为什么?

 $q = $_GET['q'];

$DB_NAME = 'code_storage';
$DB_HOST = 'localhost';
$DB_USER = 'user';
$DB_PASS = 'pass';


$dsn = "mysql:host=$DB_HOST;dbname=$DB_NAME";
$db = new PDO($dsn, $DB_USER, $DB_PASS);

$query = "SELECT * FROM `SNIPPETS` WHERE `CODE_NAME` LIKE :name OR `CODE_DESC` LIKE :name OR `CODE_TAGS` LIKE :name OR `CODE_USAGE` LIKE :name";
$prep = $db->prepare($query);
$prep->execute(array(":name" => "%" . $q . "%"));

echo '<div class="row">';
    echo    '<div class="panel">';
       printf("Your search for <b>$q</b> returned %d records.\n", $prep->rowCount());
    echo    '</div>';
echo '</div>';

while ($row = $prep->fetch()) {
    echo '   <div class="row">' . "\n";
    echo '       <div class="large-12 columns">' . "\n";

    echo             $row['CODE_NAME'] . '<br/><br/>' . "\n";
    echo             $row['CODE_DESC'] . '<br/><br/>' . "\n";
    echo             $row['CODE_USAGE']. '<br/><br/>' . "\n";
    echo '       </div>' . "\n";
    echo '   </div>' . '<br/><br/>' . "\n"; 


}

$db = null;

我发现我收到了这个错误

Connection failed: SQLSTATE[HY093]: Invalid parameter number: number of bound    variables does not match number of tokens
4

1 回答 1

1

不幸的是,某些版本的 PDO 不知道如何在同一个查询中多次使用命名参数。如果我记得,这个错误在较新的版本中已修复,但您可能会在使用带有 PDO 的较旧版本的 PHP 时遇到困难。

一种解决方法是:

$query = "SELECT * FROM `SNIPPETS` WHERE `CODE_NAME` LIKE :name1 
  OR `CODE_DESC` LIKE :name2 
  OR `CODE_TAGS` LIKE :name3 
  OR `CODE_USAGE` LIKE :name4";
$prep = $db->prepare($query);
$qpattern = "%" . $q . "%";
$prep->execute(array(":name1" => $qpattern, ":name2" => $qpattern, ":name3" => $qpattern, ":name4" => $qpattern));

或者使用位置参数而不是命名参数:

$query = "SELECT * FROM `SNIPPETS` WHERE `CODE_NAME` LIKE ? 
  OR `CODE_DESC` LIKE ? 
  OR `CODE_TAGS` LIKE ? 
  OR `CODE_USAGE` LIKE ?";
$prep = $db->prepare($query);
$qpattern = "%" . $q . "%";
$prep->execute(array_fill(0, 4, $qpattern));

PS:与您关于使用准备好的语句的问题无关,但您使用'%pattern%'全文搜索比使用任何全文索引解决方案慢数千倍

另一个好习惯是在每次调用 PDO::prepare() 或 PDOStatement::execute() 后检查错误。要么启用异常模式,要么检查返回值false

if (($prep = $db->prepare(...)) === false) {
  // check $db->errorInfo() for details
}
if ($prep->execute(...) === false) {
  // check $prep->errorInfo() for details
}

检查错误也是旧 mysql API 和 mysqli API 的最佳实践。

于 2013-06-05T17:14:46.033 回答